{"id":34825,"date":"2014-04-17T15:39:07","date_gmt":"2014-04-17T22:39:07","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=34825"},"modified":"2025-06-02T01:13:12","modified_gmt":"2025-06-02T08:13:12","slug":"ibanking-android-trojan-poses-facebook-token-generator","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/","title":{"rendered":"iBanking Mobile Trojan Poses as Facebook Token Generator"},"content":{"rendered":"<p>Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dissecting-zeus-for-android-or-is-it-just-an-sms-spyware\/\">Zitmo)<\/a> or legitimate banking apps (<a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-pairs-man-in-the-middle-with-remote-controlled-banking-trojan\/\">FakeToken<\/a> or <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/android-banking-trojans-target-italy-and-thailand\">FkSite<\/a> a.k.a. Perkele) to trick users into installing the malware. These apps steal incoming SMS messages that could contain mTANs (Mobile Transaction Authentication Numbers) used as two-factor authentication to allow Internet transactions. Now, however, it seems that malware authors are adding a new social-engineering trick to improve the rate of malware installations&#8211;by taking advantage of one of the biggest and most popular social networks.<\/p>\n<p>Despite the fact that Facebook two-factor authentication has been available since <a href=\"https:\/\/www.facebook.com\/note.php?note_id=10150172618258920\">May 2011,<\/a> currently there is no official stand-alone application to generate one-time passwords similar to the mobile app <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.google.android.apps.authenticator2\">Google Authenticator<\/a>. Instead, Facebook delivers the second factor of authentication via two functions:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.facebook.com\/note.php?note_id=10150172618258920\">Login approvals<\/a>: If it is enabled, Facebook will send a text message with the security code to the mobile phone number configured in your profile (contact information) every time you try to log in from an unknown device.<\/li>\n<li><a href=\"https:\/\/www.facebook.com\/notes\/facebook-security\/guest-post-login-approvals-and-the-code-generator\/10151602405925766\">Code generator<\/a>: For when you are traveling and can\u2019t receive text messages. If this function is activated, you can get a security code by going to the option \u201cCode Generator\u201d in the Facebook mobile app.<\/li>\n<\/ul>\n<p>Recently McAfee Labs received a mobile malware sample that, at first sight, seems to be just another variant of the Android Trojan iBanking, but in fact is an improved version of the malware. Instead of pretending to be a legitimate banking or security app, this version poses as an official Facebook app that provides a \u201cpassword token\u201d to protect the account from hijacking by adding another authentication factor. Once the malware is installed, the following icon appears in the home launcher of the device:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-34829\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png\" alt=\"CASTILLO_FaceBook_Icon\" width=\"107\" height=\"105\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png 107w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon-32x32.png 32w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon-64x64.png 64w\" sizes=\"auto, (max-width: 107px) 100vw, 107px\" \/><\/a><\/p>\n<p>Unlike the official Facebook app, the malware uses the word <em>FaceBook<\/em> with a capital B. If you notice the change in style, that should trigger an alarm. In order to make dynamic analysis difficult, the app will not work if the IMEI, phone number, network operator and SIM serial number values are the same as those configured by default in an Android emulator. On the other hand, if the app is executed in a real device, it will ask for device administrator privileges to make the removal of the app more difficult:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_DeviceAdmin.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-34830\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_DeviceAdmin.png\" alt=\"CASTILLO_FaceBook_DeviceAdmin\" width=\"230\" height=\"365\" \/><\/a><\/p>\n<p>Another suspicious characteristic is the text \u201cAdditional text explaining why this needs to be added,\u201d which shows that this version of the malware is currently under development. After the app is activated by the device administrator, the malware shows the following user interface&#8211;pretending to be a Facebook password-token generator:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Generate_Password_Token.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-34831\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Generate_Password_Token.png\" alt=\"CASTILLO_FaceBook_Generate_Password_Token\" width=\"233\" height=\"261\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Generate_Password_Token.png 389w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Generate_Password_Token-268x300.png 268w\" sizes=\"auto, (max-width: 233px) 100vw, 233px\" \/><\/a><\/p>\n<p>When the user clicks on the button Generate Password Token, the app simulates the generation of the security code to finally provide the \u201cNew Token\u201d that should be used to access your Facebook account:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_NewToken.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-34832\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_NewToken.png\" alt=\"CASTILLO_FaceBook_NewToken\" width=\"229\" height=\"367\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_NewToken.png 381w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_NewToken-187x300.png 187w\" sizes=\"auto, (max-width: 229px) 100vw, 229px\" \/><\/a><\/p>\n<p>The provided security code will not work in Facebook because it is a fake number generated by a custom algorithm based on the device identifier (IMEI) or random numbers. At the same time, the malware will start two services that will run in the background without the user\u2019s consent:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Services.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-34833\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Services.png\" alt=\"CASTILLO_FaceBook_Services\" width=\"232\" height=\"355\" \/><\/a><\/p>\n<h2>iBanking Variant&#8217;s Malicious Actions<\/h2>\n<p>Just like older variants of iBanking, this variant can also execute commands sent by the attacker via SMS or HTTP to perform any of the following actions:<\/p>\n<ul>\n<li>Intercept incoming SMS messages (that could include mTAns) and forward them to the attacker<\/li>\n<li>Forward all incoming calls to a phone number specified in the malware<\/li>\n<li>Steal all the SMS messages in the inbox and sent folders<\/li>\n<li>Steal all the call logs (incoming\/Outgoing\/missed calls)<\/li>\n<li>If the app was added as a Device Administrator, the malware will attempt to erase all user data by asking the user to do so. External storage such as SD cards will not be affected.<\/li>\n<li>Record the surrounding audio captured by the microphone to store it in the SD card and later send it to a remote server<\/li>\n<li>Send a text message, with the body provided by the attacker, to the number<\/li>\n<li>Steal the contact list<\/li>\n<li>Steal all the images (jpg, jpeg, gif and png) stored in the SD card<\/li>\n<li>Leak the GPS location of the infected device<\/li>\n<li>Report all installed applications in the device<\/li>\n<li>Start the malicious services and send a text message to the attacker with the SIM serial number, manufacturer, and model of the infected device<\/li>\n<\/ul>\n<p>Taking into account the existence of security vulnerabilities such as <a href=\"https:\/\/www.mcafee.com\/blogs\/consumer\/what-is-heartbleed\/\">Heartbleed,<\/a> which allows the remote extraction of sensitive data such as user names and passwords, it is clear that only one password is not enough to protect access to online services. For that reason multifactor authentication systems are becoming more popular every day as an additional security measure to prevent the hijacking of online accounts. This variant of iBanking shows that malware authors are aware of this step and have started to\u00a0associate with\u00a0social networks to trick users into installing their malware.<\/p>\n<p>McAfee Mobile Security detects this Android threat as Android\/iBanking.B and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit <a href=\"https:\/\/www.mcafeemobilesecurity.com\">https:\/\/www.mcafeemobilesecurity.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, Zitmo) or legitimate banking apps (FakeToken or FkSite a.k.a&#8230;.<\/p>\n","protected":false},"author":462,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[37,49,100,180,214],"coauthors":[1104],"class_list":["post-34825","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-android","tag-botnet","tag-facebook","tag-malware","tag-mobile-security1"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>iBanking Mobile Trojan Poses as Facebook Token Generator | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, Zitmo) or legitimate banking apps (FakeToken or FkSite a.k.a.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"iBanking Mobile Trojan Poses as Facebook Token Generator | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, Zitmo) or legitimate banking apps (FakeToken or FkSite a.k.a.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2014-04-17T22:39:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-02T08:13:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png\" \/>\n\t<meta property=\"og:image:width\" content=\"107\" \/>\n\t<meta property=\"og:image:height\" content=\"105\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Carlos Castillo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@carlosacastillo\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Carlos Castillo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/\"},\"author\":{\"name\":\"Carlos Castillo\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe\"},\"headline\":\"iBanking Mobile Trojan Poses as Facebook Token Generator\",\"datePublished\":\"2014-04-17T22:39:07+00:00\",\"dateModified\":\"2025-06-02T08:13:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/\"},\"wordCount\":855,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png\",\"keywords\":[\"android\",\"botnet\",\"facebook\",\"malware\",\"mobile security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/\",\"name\":\"iBanking Mobile Trojan Poses as Facebook Token Generator | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png\",\"datePublished\":\"2014-04-17T22:39:07+00:00\",\"dateModified\":\"2025-06-02T08:13:12+00:00\",\"description\":\"Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, Zitmo) or legitimate banking apps (FakeToken or FkSite a.k.a.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"iBanking Mobile Trojan Poses as Facebook Token Generator\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe\",\"name\":\"Carlos Castillo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/729f5b9d2761341175762c5f10652607\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg\",\"caption\":\"Carlos Castillo\"},\"description\":\"Carlos Castillo specializes in the analysis of mobile threats and Android malware. Castillo performs static and dynamic analysis of suspicious applications to support McAfee\u2019s Mobile Security for Android product. He is the author of the McAfee-published white paper, \\\"Android Malware Past, Present, and Future,\u201d and wrote the \u201cHacking Android\\\" section of the book, \\\"Hacking Exposed 7: Network Security Secrets &amp; Solutions.\u201d As a recognized mobile malware researcher, Castillo has presented at several security industry events, including 8.8 Computer Security Conference and Segurinfo, a leading information security conference in South America. Prior to his position at McAfee, Castillo performed security compliance audits for the Superintendencia Financiera of Colombia, and worked at security startup Easy Solutions Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Castillo joined the world of malware research when he won ESET Latin America\u2019s Best Antivirus Research contest with a paper titled, \u201cSexy View: The Beginning of Mobile Botnets.\u201d Castillo holds a degree in systems engineering from the Universidad Javeriana in Bogot\u00e1, Colombia.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/carlosacastillo\/\",\"https:\/\/x.com\/carlosacastillo\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/carlos-castillo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"iBanking Mobile Trojan Poses as Facebook Token Generator | McAfee Blog","description":"Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, Zitmo) or legitimate banking apps (FakeToken or FkSite a.k.a.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"iBanking Mobile Trojan Poses as Facebook Token Generator | McAfee Blog","og_description":"Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, Zitmo) or legitimate banking apps (FakeToken or FkSite a.k.a.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2014-04-17T22:39:07+00:00","article_modified_time":"2025-06-02T08:13:12+00:00","og_image":[{"width":107,"height":105,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png","type":"image\/png"}],"author":"Carlos Castillo","twitter_card":"summary_large_image","twitter_creator":"@carlosacastillo","twitter_site":"@McAfee","twitter_misc":{"Written by":"Carlos Castillo","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/"},"author":{"name":"Carlos Castillo","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe"},"headline":"iBanking Mobile Trojan Poses as Facebook Token Generator","datePublished":"2014-04-17T22:39:07+00:00","dateModified":"2025-06-02T08:13:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/"},"wordCount":855,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png","keywords":["android","botnet","facebook","malware","mobile security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/","name":"iBanking Mobile Trojan Poses as Facebook Token Generator | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png","datePublished":"2014-04-17T22:39:07+00:00","dateModified":"2025-06-02T08:13:12+00:00","description":"Mobile\u00a0banking Trojans have usually pretended to be security applications (for example, Zitmo) or legitimate banking apps (FakeToken or FkSite a.k.a.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/CASTILLO_FaceBook_Icon.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ibanking-android-trojan-poses-facebook-token-generator\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"iBanking Mobile Trojan Poses as Facebook Token Generator"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe","name":"Carlos Castillo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/729f5b9d2761341175762c5f10652607","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg","caption":"Carlos Castillo"},"description":"Carlos Castillo specializes in the analysis of mobile threats and Android malware. Castillo performs static and dynamic analysis of suspicious applications to support McAfee\u2019s Mobile Security for Android product. He is the author of the McAfee-published white paper, \"Android Malware Past, Present, and Future,\u201d and wrote the \u201cHacking Android\" section of the book, \"Hacking Exposed 7: Network Security Secrets &amp; Solutions.\u201d As a recognized mobile malware researcher, Castillo has presented at several security industry events, including 8.8 Computer Security Conference and Segurinfo, a leading information security conference in South America. Prior to his position at McAfee, Castillo performed security compliance audits for the Superintendencia Financiera of Colombia, and worked at security startup Easy Solutions Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Castillo joined the world of malware research when he won ESET Latin America\u2019s Best Antivirus Research contest with a paper titled, \u201cSexy View: The Beginning of Mobile Botnets.\u201d Castillo holds a degree in systems engineering from the Universidad Javeriana in Bogot\u00e1, Colombia.","sameAs":["https:\/\/www.linkedin.com\/in\/carlosacastillo\/","https:\/\/x.com\/carlosacastillo"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/carlos-castillo\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/34825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/462"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=34825"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/34825\/revisions"}],"predecessor-version":[{"id":214808,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/34825\/revisions\/214808"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=34825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=34825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=34825"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=34825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}