Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.
These man-in-the-browser attacks are known as webinjects and have long been used by computer Trojans to display rogue Web forms on online banking websites with the goal of collecting log-in credentials and other sensitive financial information from users.
Webinjects are also commonly used to display messages that instruct users to download and install malicious applications on their mobile phones by presenting them as security apps required by financial institutions. In reality those rogue mobile apps are designed to steal mobile transaction authorization numbers (mTANs) and other one-time passwords sent by banks via SMS.
In February security researchers from RSA, the security division of EMC, reported that the source code for an advanced Android Trojan called iBanking was released on an underground forum and warned that this development will allow more cybercriminals to incorporate this mobile threat in their future operations.
Once installed on an Android phone, iBanking can capture incoming and outgoing text messages; can redirect calls to a pre-defined phone number; can capture audio from the surrounding environment using the device's microphone and can steal the call history log and the phone book.
The authors of the Qadars computer Trojan were quick to adopt iBanking, according to a new report by researchers from ESET, but instead of using it against online banking users they appear to be targeting accounts on Facebook.
When users log into Facebook from a computer infected with Qadars they will see a rogue message informing them that "due to a rising number of attempts in order to gain unlawful access to the personal information of our users and to prevent corrupted page data to spread Facebook administration introduces new extra safety protection system."
This alleged protection system is presented as a mobile application that generates unique authentication codes that can be used instead of regular passwords. In order to obtain the application, users are asked to specify the OS of their mobile phone and their phone number. They are then directed to a page with a download link and a corresponding QR code.