A malicious app targeting Android users has grown so fully featured that researchers said it has become one of the most expensive pieces of malware available in underground markets. The story helps demonstrate the high potential of Android-based trojans as operators of traditional PC-based fraud search for ways to bypass the increasing use of two-factor authentication.

Not long ago, the so-called iBanking malware package offered little more than a way for traditional PC trojans that target online bank accounts to bypass two-factor authentication protections. While the interception of incoming and outgoing SMS messages remains the main selling point, iBanking has morphed into the Swiss Army knife of Android malware. Included in the $5,000 fee is the ability to redirect incoming voice calls, covertly capture sounds within range of the device's microphone, track geolocation, access the file system, and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset.

An analysis published Tuesday by researchers from Symantec explained:

iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection. Its high price tag meant that use was initially confined mainly to well-resourced cybercrime gangs, but with the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking, and attacks are likely to grow further in the near future. How it works

Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices. The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure.

As more and more existing banking trojans make use of iBanking, people already infected with PC malware have begun to receive trojan-generated pop-ups that are injected into legitimate pages from sites such as Facebook. The messages try to trick users into thinking their Android phone must run an app in order to be compliant with their online banking service. Users can either follow a link in the pop-up, or, if they enter their cell number into the form, they will receive a text message that links to the malicious Android package. In addition to bypassing two-factor authentication offered by banks, iBanking may help malware circumvent similar protections offered by other types of sites.

"The way iBanking is installed on the user's mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud," Eset security researcher Jean-Ian Boutin wrote last month. "Although the Facebook two-factor authentication feature has been around for quite a while, it may be that there is a growing number of people using it, thus making account takeover through a regular account credentials grabber ineffective. It might also just be a good way to make the user install iBanking on his phone so that the bot masters can make use of the other spying functionalities of iBanking."

Resisting whitehats

Besides the wide array of advanced surveillance and interception features, iBanking has also been designed to thwart reverse engineering by whitehat hackers and would-be competitors who want to create knockoffs. The app uses AES encryption to hide the contents of XML files that otherwise would make it easy to know exactly what functions the malware is carrying out. It also includes code obfuscation that, among other things, bloats the number of class files from 23 to 245. The obfuscation also replaces static variables such as "app_name" with meaningless strings to make it hard to figure out what their function is. What's more, a mechanism prevents iBanking from running properly in virtual machines often used in reverse engineering.

"Being aware of security-researchers and analysts, and employing anti-analysis mechanism has been a standard among PC-malware developers for quite a while; but is far from standard practice in the mobile malware field," Daniel Cohen, an analyst for RSA's FraudAction Group, wrote in a blog post published Tuesday. "The iBanking malware shows that mobile malware developers are becoming aware of the necessity to protect their bots against analysis, and indicates a possible new trend in this new and evolving mobile malware space."

iBanking is sold by a group known as GFF. As an interesting side note, the hefty $5,000 price tag for iBanking has persisted even in the months following the leak of its source code. The leak was carried out by someone who claimed he discovered that a friend's smartphone was infected by iBanking, and he ultimately tracked down the command and control channel it was contacting. The hacker eventually released the source code in underground forums, leading to speculation that it was obtained by hacking into one of the systems used by the iBanking operators.

"The release of the source code coincided with a significant uptick in iBanking activity," Tuesday's analysis from Symantec stated. "Despite the availability of a free version, our research suggests that most of the large cybercrime actors are continuing to opt for the paid-for version. They appear to be willing to pay a premium for the updates and support provided by GFF."

Story updated to modify headline.