The application being offered to Android device owners is a version of the iBanking Trojan app that has been modified to look as a Facebook application for generating one-time passwords. During installation, users are instructed to enable the Android setting allowing the installation of apps obtained from unknown sources and are asked to give the app device administrator permissions.
"The way iBanking is installed on the user's mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud," Boutin said.
It's possible that the attackers are using iBanking to steal security codes sent via SMS by Facebook's legitimate two-factor authentication system. It may be that there's a growing number of people using this protection feature on Facebook, making accounts harder to compromise through traditional credential theft attacks, Boutin said.
However, it's also possible that attackers have chosen to use webinjects on Facebook because it's an efficient way to distribute the malware to a lot of users without worrying which particular banking sites they regularly interact with.
"Now that mainstream web services such as Facebook are also targeted by mobile malware, it will be interesting to see whether other types of malware will start using webinjects," Boutin said. "Time will tell, but because of the commoditization of mobile malware and the associated code source leaks, this is a distinct possibility."