Cybercriminals are going after millions of Facebook users by using a sophisticated Android Trojan app designed to bypass the two-factor authentication protection used by Facebook to shield its mobile users.
The injected code generates a message telling users to download and install Android malware that will steal authentication codes sent to their mobile phones via SMS. The attacks, also known as "webinjects," are commonly used to infiltrate banking websites in order to steal log-in passwords and other personal financial information.
In the case of the current attacks on Facebook users, webinjects display messages instructing users to download and install malware or malicious applications on their mobile phones. The malware is disguised as a security app supposedly sent by a bank or financial institution.
In reality, these malware mobile apps are designed to steal mobile transaction authorization numbers (mTANs) and other one-time passwords sent by banks via SMS.
ESET said Qadars is a variant of an advanced Android Trojan called iBanking. Security analysts said the source code for iBanking was released on an underground forum. They warned that this development allows more cybercriminals to use this mobile threat in their cybercrime operations.
When logging into Facebook from a computer infected with Qadars, a user will see a rogue message informing him that "due to a rising number of attempts in order to gain unlawful access to the personal information of our users and to prevent corrupted page data to spread Facebook administration introduces new extra safety protection system."
This alleged protection system is presented as a mobile application that generates unique authentication codes that can be used instead of regular passwords. But in order to obtain the application, victims are asked to specify the OS of their mobile phone and their phone number. They are then directed to a page with a download link and a corresponding QR code.