iBanking Malware Analysis

Co-Authored with Itzik Chimino.
iBanking is malware that runs on Android mobile devices. It is delivered via a new variant of the computer banking Trojan Qadars, which deceives users into downloading iBanking malware on to their android device. It can be used with any malware used to inject code into a web app. The malware enables cybercriminals to intercept SMS and bypass the two-factor authentication methods used by several banks throughout the world to authorize mobile banking operations. iBanking malware acts as a spy that can also of grab contact lists, steal bank account details, forward incoming voice calls, and record the victim’s voice, which enables it to overcome voice recognition security features that financial institutions are beginning to implement. Cyber criminals ultimately utilize iBanking malware to transparently complete money transfers on behalf of the infected targeted users.

How the attack works

Focusing specifically on the new variant of iBanking malware that targets Facebook users, the attack begins by infecting users’ devices with the Qadars banking Trojan via a drive-by download from an unsuspecting website. Qadars then intercepts the webpage and uses JavaScript to inject code into the webpage—in this case, a Facebook page—that presents users with a fake verification pop-up page upon initial login. This page requests the victim’s phone number and Android device confirmation. The victim then receives an SMS message on the verified device, which directs him to a page with instructions to download added security. Once the victim installs the iBanking malware, it cannot be removed if it was given admin rights during the install process.

Remote control of the infected device

Once the malware is activated by the user on his smartphone, the attacker gains administrator permissions on his device. The attacker can now control a vast amount of functions such as:

1. Allows applications to change network connectivity state.

2. Allows an application to send/read SMS messages.

3. Allows an application to automatically start when the system boots.

4. Allows an application read-only access to phone state.

5. Allows an application to access approximate location derived from network location sources such as WiFi and cell antennas.

6. Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed.

7. Allows an application to open network sockets.

8. Allows an application to write to external storage such as modify/delete SD card contents.

9. Allows an application to read the user's contacts data.

10. Allows an application to record audio such as phone calls and voice messages.



Click here to read the full technical iBanking Malware Analysis Report by F5 SOC.

To read more about F5 Global Security Operation Centers click here.


Published Oct 14, 2014
Version 1.0

Was this article helpful?


  • We heared that F5 Fraud Protection Function of “ Malware detection “ & “ Phishing attacks Protection “ can be easily mitigated using more cheap solution which is “ Bank Tokens “ that requests Token number with Every transaction What do u think ?
  • Pavel_Asinovsky's avatar
    Historic F5 Account
    Most of the modern Trojans nowadays overcome TFA by injecting fake fields or popups requesting these token numbers and even mobile applications that forward SMS messages containing PIN codes. I recommend you to read other analysis reports posted by Ilan, such as Neverquest or Tinba.