Two banking trojans are said to target mobile devices lately. The Android/OpFake and the Android/Marry malware families have stored their C&C servers inside Facebook Parse, the company’s BaaS offering.
BaaS is a cloud-based service which provides mobile app developers with ready-made tools, in the form of APIs, on which they can build the backend of their Android or iOs applications. Due to the fact that the application developers do not follow the security guidelines provided by BaaS providers, they create insecure mobile applications.
According to a report made by researchers from the Technical University in Darmstadt, Germany, out of over 2 million mobile applications built on BaaS backends, more than 56 million data records were exposed in the cloud.
Besides, the researchers found two mobile apps which were using a BaaS-powered backend to control two malware delivery campaigns. Since they were not malware threat analysts, the researchers called for the help of the Intel Security group to properly analyze the two malware campaigns.
Intel came to the conclusion that these two campaigns used Facebook Parse accounts and the associated infrastructure as a command and control (C&C) server for their mobile banking trojans.
What actually banking trojans did is committing SMS fraud and stealing credit card numbers. After that they sent them to Facebook Parse databases, where it was analyzed, and then the infected phone would receive instructions from the server, based on the stolen data.
Hackers could send SMS messages to affiliate numbers, pocketing themselves some nice profits, though, if credit card numbers are found on the device, the trojan was also able to exfiltrate it from the device.
Fortunately, the creators of both mobile banking trojans failed to heed the guidelines provided by the Facebook Parse team and left numerous security holes in their BaaS backend.
Another thing which is known about the banking trojans, is that cyber criminals have used five Facebook Parse accounts for their campaigns.
According to the researchers, some of the accounts were inactive, probably used in older campaigns, while the rest were still executing code. This means that the attackers were still using them to steal financial data from infected phones.
“The data shows that Android/OpFake gathered almost 170,000 SMS messages from infected devices,” Mr. Castillo observed, “and that more than 20,000 commands were successfully executed, most of them SMS tasks primarily for financial fraud.”
Additionally, some credit card numbers were also stolen, but no more than 200.
By now, the biggest victim in the campaign was an Eastern European bank which received 5,350 SMS messages to one of its account management numbers, where various illegal operations were performed, either by transferring funds to other accounts or by refilling phone numbers with credit, so more illegal SMS fraud can be carried out.
The good news here is that these two malware campaigns were active from late June to the end of July. In August, Facebook was notified about the trojans and the accounts were closed.