The malicious script takes users to a fake Facebook two-factor verification page and once they enter a mobile number, a link to download the Trojan app is sent to the phone. Even if the link is not sent, the web page displays the download link. The page also displays instructions to download the app and enable settings to install third-party apps on Android, if not enabled.
The page displays a message saying, “due to a rising number of attempts in order to gain unlawful access to the personal information of our users and to prevent corrupted page data to spread Facebook administration introduces new extra safety protection system.”
According to a blog post by ESET, “The iBanking app can be used in conjunction with any malware able to inject code into a web page and is generally used to redirect incoming SMS messages to bypass two-factor authentication.”
The app may be stealing SMS security codes sent by Facebook and banks for two-factor authentication.