The experts at the IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked online.
Bad news for the Android community, the experts at IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it include the bot component and the control panel.
It seems that one of GM Bot’s buyers decided to leak the code online to enhance credibility in the underground boards.
He leaked the code in an encrypted archive, then he indicated he would give the password only to active forum members who contacted him.
Of course, the code rapidly spread within the criminal ecosystem, it is now free and online is available a tutorial and the instructions for the server-side installation.
The availability online of the source code of a malware represents a crucial moment in the life cycle of malicious codes. Once the code is leaked online, cyber criminal organizations can work on it to create new variants that could be offered for sale or rent.
The original creator of the Android malware has sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that is offering it for $500.
“According to X-Force threat intelligence, the code’s author moved on to working on a new version dubbed GM Bot v2.0, which is sold in financial fraud-themed underground boards.” states a blog post published by the X-Force threat intelligence.
GM Bot appeared in the wild in 2014, it was offered in the Russian underground as a powerful instrument for mobile phishing.
“This Android malware’s differentiating capability is its deployment of overlay screens on top of running banking applications, with the goal of tricking users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.” continues the post.
The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.
In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:
They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
They can forward phone calls to a remote attacker.
They have spyware features and can control the device via remote commands.
The experts at the IBM have analyzed only the control panel because many other organizations and security firms already produced a detailed analysis of malware.
The most interesting feature discovered by the experts in the GM Bot’s botnet administration panel is the possibility to create and deploy new injections to infected user devices.
Another interesting component of the Botnet is the “Search and Stats” section that allows operators to analyze their database that includes stolen information, credit card details, lists of apps installed on infected devices, bank accounts the victims and other info.
Let me suggest to give a look to the interesting analysis published by IBM that also includes the indicators of compromise.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.