Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by Dopefish on Sunday February 23 2014, @12:00PM   Printer-friendly
from the stick-to-a-real-human-teller dept.
berrance writes "ITworld reports that the source code for the Android mobile banking Trojan app "iBanking" has surfaced via an underground forum. The software has been masquerading as a security app appearing on banking sites, via HTML injection attacks. In addition to serving as a Trojan, this app is also a bot net client, which 'connects to a command-and-control server that allows attackers to issue commands to each infected device.'"
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by ls671 on Sunday February 23 2014, @12:25PM

    by ls671 (891) Subscriber Badge on Sunday February 23 2014, @12:25PM (#5161) Homepage

    Security app, great! Do not install anything without really trusting the source. Better yet; check signature or at least md5 sum from a reliable source before install. Same old, same old.

    --
    Everything I write is lies, including this sentence.
    • (Score: 5, Insightful) by FuckBeta on Sunday February 23 2014, @12:39PM

      by FuckBeta (1504) on Sunday February 23 2014, @12:39PM (#5167) Homepage

      What about using only software which respects your freedom? Not everyone will agree with RMS, but he has proven uncommonly prescient in some of his writings about the consequence of accepting nonfree software.
      Internet banking is typically accessed over HTTP and TLS. Therefore users can use existing free and open source software to perform this task.

      Trying to "secure" non free software is putting lipstick on a pig. Users are asked to rely on unauditable and therefore untrustable code to mitigate potential exploits in other untrustable, unauditable code.

      Developments in computing this last generation have been nothing short of revolutionary. If people wish the benefits then they must take personal responsibility for understanding as much as they are able to about computers and software, and then make rational choices accordingly. Choosing software which respects your freedom is one such choice. Anything less is papering over cracks and ultimately self defeating. It is challenging, and not suited to everyone, however the benefit of an advanced society is that we each specialise in the work we like the best. Nobody has to write a kernel or browser from scratch, there are free packages available. We can each stand on the shoulders of giants. All that is required is a willingness to learn and take personal responsibility for who we choose to trust.

      For those who prefer slick marketing and the illusion of security to actual knowledge, they will get what they ultimately deserve. I predict the creation of a technically illiterate underclass (and perhaps a politically illiterate underclass also) if this disturbing social trend is not reversed.

      The younger generation have a lot to answer for. They inherited the infrastructure built by those older and wiser, and have turned it into an entertainment / vanity platform. Interestingly one of the WhatsApp founders is from a former Soviet state and recently spoke to the media about how important privacy is to him - across the page, an article about poorly implemented crypto in WhatsApp!

      --
      Quit Slashdot...because Fuck Beta!
      • (Score: 5, Insightful) by Nerdfest on Sunday February 23 2014, @03:21PM

        by Nerdfest (80) on Sunday February 23 2014, @03:21PM (#5192)

        Arguing freedom over controlled but shiny does not seem to work well these days. People these days have no vision beyond short term gratification.

      • (Score: 2, Insightful) by digitalaudiorock on Sunday February 23 2014, @05:28PM

        by digitalaudiorock (688) on Sunday February 23 2014, @05:28PM (#5235) Journal

        For me the most astonishing aspect of all of this is the bullshit "there's an app for everything" mentality...most of the time involving stuff that could be done in a fucking browser. Can you imagine if people were told they had to install an application on their computer for every site they used? Yet in the age of smart phones that's precisely what everyone seems to be doing...crazed.

        • (Score: 1, Insightful) by linsane on Sunday February 23 2014, @05:44PM

          by linsane (633) on Sunday February 23 2014, @05:44PM (#5242)

          Yet just think of the moment that, a couple of years ago, most likely in an Apple inc. office somewhere, there must have been a conversation where someone worked out that that was the way to monetize the interweb, 99c at a time.

          Absolute genius even if you don't approve of the end result.

        • (Score: 2, Interesting) by lhsi on Sunday February 23 2014, @06:50PM

          by lhsi (711) on Sunday February 23 2014, @06:50PM (#5267) Journal
          Phone apps can have a lot more functionality than a web site in a browser. Apps that just effectivly show a webpage are essentially glorified bookmarks though.

          Although speaking of bookmarks, I wish I could manage bookmarks on Android Chrome as easily as I can manage apps

  • (Score: 5, Funny) by Debvgger on Sunday February 23 2014, @01:46PM

    by Debvgger (545) on Sunday February 23 2014, @01:46PM (#5181)

    Download link is missing! :-)

    • (Score: 1) by jt on Monday February 24 2014, @01:24AM

      by jt (2890) on Monday February 24 2014, @01:24AM (#5426)

      In all seriousness I want to d/l this and take a look at the code. Do they pull any interesting tricks? Any non-obvious techniques I could borrow for my non-malware apps? I learned a lot of interesting tricks from studying rootkit and virus source over the years, even if I don't get to apply it very often.

      If nothing else, the 'know your enemy' idea is useful for anyone of use who will be tasked with defending our users against this kind of thing.

  • (Score: 1) by sibiday fabis on Sunday February 23 2014, @07:00PM

    by sibiday fabis (2160) on Sunday February 23 2014, @07:00PM (#5276)

    FTA:"Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims' smartphones..."

    Sadly, there's an easily exploitable malware vector for this. The same users that install the "Free-Fix-My-Email-and-Smileys-and-Screensavers! Toolbar" and "Best Windows Anti Virus Tuneup Easy Microsoft Cleaner Free" type of software will fall for this, and its a big group. Anything that claims to fix a problem or make something easier to accomplish for free is clickbait. Sometimes it only takes one failed connection to their banking site and they'll be off to find the "fix".

    Typically, they won't bother to call their bank. They will open a new tab (login for the bank site still open in the old tab), use their likely already hijacked search to look for a solution and click on the first shiny ad that seems to match the problem. Even if they don't try to install anything, the almost certainly out of date add-ins in their browser have vulnerabilities that enable a silent download. Game over, PC and phone infected.

    Uninformed users make this type of malware successful. I try to teach every customer basic safety practices so they at least have a fighting chance against this stuff. I'm happy to say that most people get it, but sometimes it takes two or three service calls before they pay attention.