Malware has gone mobile, and now it’s getting social too.

A new one-two punch combination uses a malicious Javascript web injection on Facebook to try to fool users into downloading the iBanking rogue app onto their Android device.

How to Avoid Infection

First thing’s first: If you log onto Facebook on your computer and are mysteriously prompted to download a “unique software tool for safe and secure authentication” onto your Android device, do not proceed.

If this occurs, your computer has already been infected and downloading the software will infect your Android device as well. In the event that you are seeing such a prompt, we’d encourage you to seek help at our Help My PC is Infected! support forum. Malware removal is free, even if you are not an Emsisoft customer yet.

iBanking Play-by-Play

The prompt to download a “unique software tool” uses social engineering to try to trick Facebook users into downloading a supposed security app that enables two-factor authentication for their Facebook account. In reality, this “security app” is iBanking, an Android malware that can:

Intercept real two factor authentication codes sent by real service providers

Capture any incoming/outgoing SMS text

Redirect outgoing calls to a pre-programmed phone number

Capture audio by activating microphone

Steal metadata – call log and contacts list

In the past, iBanking has typically targeted financial websites, using the same malicious Javascript inject technique to attempt to fool users into download. Typically, the form asks for a user’s phone number and device type, and then sends a download link directly to the device in an SMS message. From there, the malicious downloader contains detailed installation instructions, even showing users how to Enable App Installation from Unknown Sources in the Android settings.

iBanking first achieved notoriety back in February, when its source code was leaked on an underground forum, making it widely available to malware authors around the world. Though the malware’s fundamental strategy – infect through web injection and then monitor mobile device activity – is nothing original, its recent appearance on Facebook is a new development and cause for some concern. Simply put: it is much easier and much more cost effective to target a social media website used by billions than it is to target a handful of banking sites that any given user may or may not use. Additionally, the malicious web injection could very easily be confused with a real request to enable two-factor authentication, especially by users who might have been made a tad paranoid about their personal security by the recent Heartbleed crisis.

Protecting Yourself from iBanking

Emsisoft Mobile Security detects the iBanking malware as Android.Trojan.SMSSend.HM (B).

SHA-1: fc13dc7a4562b9e52a8dff14f712f2d07e47def4

Additionally, our Behavior Blocking technology is designed to stop malicious Javascript injects like the one that propagates iBanking before they infect your computer.

How’s that for a one-two punch?

Protect your device with Emsisoft Anti-Malware. Did your antivirus let you down? We won’t. Download your free trial of Emsisoft Anti-Malware and see for yourself. Did your antivirus let you down? We won’t. Download your free trial of Emsisoft Anti-Malware and see for yourself. Start free trial

Have a Great (Mobile-Malware) Free Day!