By Brian Krebs.

I recently encountered a botnet targeting Android Smartphone users who bank at financial institutions in the Middle East. The crude yet remarkably effective mobile bot that powers this whole operation comes disguised as one of several online banking apps, has infected more than 2,700 phones, and has intercepted at least 28,000 text messages. The botnet – which I’ve affectionately dubbed “Sandroid” – comes bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

It’s not clear how the apps are initially presented to victims, but if previous such scams are any indication they are likely offered after infecting the victim’s computer with a password-stealing banking Trojan. Many banks send customers text messages containing one-time codes that are used to supplement a username and password when the customer logs on to the bank’s Web site. And that precaution of course requires attackers interested in compromising those accounts to also hack the would-be victim’s phone. Banking Trojans – particularly those targeting customers of financial institutions outside of the United States – will often throw up a browser pop-up box that mimics the bank and asks the user to download a “security application” on their mobile phones. Those apps are instead phony programs that merely intercept and then relay the victim’s incoming SMS messages to the botnet master, who can then use the code along with the victim’s banking username and password to log in as the victim. This particular botnet appears to have been active for at least the past year, and the mobile malware associated with it has been documented by both Symantec and Trend Micro. The malware itself seems to be heavily detected by most of the antivirus products on the market, but then again it’s likely that few – if any – of these users are running antivirus applications on their mobile devices.

In addition, this fake bank campaign appears to have previously targeted Facebook, as well as banks in Australia and Spain, including Caixa Bank, Commonwealth Bank, National Australia Bank, and St. George Bank.

The miscreant behind this campaign seems to have done little to hide his activities. The same registry information that was used to register the domain associated with this botnet -funnygammi.com – was also used to register the phony bank domains that delivered this malware, including alrajhiankapps.com, commbankaddons.com, facebooksoft.net, caixadirecta.net, commbankapps.com, nationalaustralia.org, andstgeorgeaddons.com. The registrar used in each of those cases was Center of Ukrainian Internet Names. Incidentally, the mobile phone number used to intercept all of the text messages is +79154369077, which traces back to a subscriber in Moscow on the Mobile Telesystems network.

Lee Reiber Vice President of Mobile Forensic Solutions at AccessData and a cellphone forensic researcher and innovator writes below:

Currently, 91% of people worldwide use some sort of mobile device, and 82% of mobile media time is spent via an application. There are over 800,000 applications available from the Apple Store, and over 800,000 applications available from the Google Play Store. Over 16 billion photos alone have been shared via Instagram. There are over 1 billion active Facebook users worldwide. Over 200,000 Google searches are conducted every minute of every day and over 600,000 emails are sent every minute of every day. These statistics are staggering. Data from these mobile applications are stored in that application’s SQL database, located on the mobile device. Considering that a crime can be facilitated, or committed via a mobile device or mobile application, it is imperative that law enforcement be able to quickly adapt to the ever evolving world of mobile applications and mobile forensics. Access Data’s Mobile Phone Examiner Plus (MPE+) provides law enforcement with that ability through the SQL Builder.

The MPE+ SQL Builder is not an add-on tool, but a feature built into AccessData’s Mobile Phone Examiner Plus (MPE+). This feature allows the user to build custom queries simply by selecting the SQL database, the relevant table or tables, and the associated rows containing the data. These queries can be built as soon as an application is available. Users of MPE+ do not need to wait for a software upgrade to be able to process the new application’s data. Once the query is built, a user simply executes the query and the data is pulled from the database into the interface. This data can then be published into the MPE+ interface and can be immediately reported on. This feature makes every app database open for investigation and the hidden data types exposed. All other mobile forensic solutions have a limited number of applications they support but they only allow users to visualize that data. Therefore, extracting the data with these other solutions is cumbersome and difficult. With MPE+ SQL Builder, users simply create their own queries and execute on ANY and ALL applications. In essence, all applications utilizing a SQL Database are supported by MPE+. What is even better, the user can also save those queries for later use, or share them with other MPE+ users!

Today, criminals are assisted in the commission of their crimes by the mobile devices and applications they use. Application evidence is critical in any and all investigations. By allowing the user to pull this important and volatile data from any SQL database, AccessData’s MPE+ has given the upper hand to the law enforcement investigator. Using MPE+ SQL Builder, the relevant evidence can be extracted and a criminal’s intentions exposed. Staying ahead of the app, MPE+ is changing the way mobile forensics is done by introducing an entirely different approach to mobile device forensics.