Bad news for the Android community, the experts at IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it include the bot component and the control panel.
It seems that one of GM Bot’s buyers decided to leak the code online to enhance credibility in the underground boards.
He leaked the code in an encrypted archive, then he indicated he would give the password only to active forum members who contacted him.
Of course, the code rapidly spread within the criminal ecosystem, it is now free and online is available a tutorial and the instructions for the server-side installation.
The availability online of the source code of a malware represents a crucial moment in the life cycle of malicious codes. Once the code is leaked online, cyber criminal organizations can work on it to create new variants that could be offered for sale or rent.
The original creator of the Android malware has sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that is offering it for $500.
“According to X-Force threat intelligence, the code’s author moved on to working on a new version dubbed GM Bot v2.0, which is sold in financial fraud-themed underground boards.” states a blog post published by the X-Force threat intelligence.
GM Bot appeared in the wild in 2014, it was offered in the Russian underground as a powerful instrument for mobile phishing.
“This Android malware’s differentiating capability is its deployment of overlay screens on top of running banking applications, with the goal of tricking users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.” continues the post.
The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.
In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:
The experts at the IBM have analyzed only the control panel because many other organizations and security firms already produced a detailed analysis of malware.
The most interesting feature discovered by the experts in the GM Bot’s botnet administration panel is the possibility to create and deploy new injections to infected user devices.
Another interesting component of the Botnet is the “Search and Stats” section that allows operators to analyze their database that includes stolen information, credit card details, lists of apps installed on infected devices, bank accounts the victims and other info.
Let me suggest to give a look to the interesting analysis published by IBM that also includes the indicators of compromise.
(Security Affairs – Botnet, GM Bot)