Scourge of Android Overlay Malware on Rise

android malware

The black market for malicious Android software is heating up thanks to a rise in popularity of overlay malware.

The black market for malicious Android software is heating up thanks to a rise in popularity of overlay malware, which can siphon credentials off Android devices and give crooks a tool to defeat two-factor identification schemes, according to security researchers at IBM’s X-Force.

Overlay malware allows attackers to create an overlay to be displayed on top of legitimate Android applications. The overlay then tricks users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.

Interest in overlay malware, X-Force wrote in a research note posted Thursday, has triggered price wars and a flood of new variants of overlay malware in recent months.

Limor Kessem, a cybersecurity analyst with IBM X-Force, said interest in overlay malware began to rise after the GM Bot malware code was leaked online in February. Since then, hackers reworked the leaked code and relaunched a new GM Bot variant pricing it at a much higher $15,000, compared to an average price of $5,000 for GM Bot six months ago.

Those high prices, Kessem told Threatpost, have sparked a pricing war among peddlers of similar malware, also targeting Android devices. She said it has spotted a number of new samples such as Bilal Bot and Cron Bot on black markets. Kessem said sales of existing KNL Bot overlay malware is also spiking. Pricing for these range from $3,000 to $6,000 and also includes malware-as-a-service options.

“What we are seeing is a maturing of these black markets away from (PC) banking Trojans,” Kessem  said. “Overlay malware is a criminal’s Swiss Army Knife. It’s flexible and effective at stealing financial credentials as well as a multitude of other types of sensitive data on an Android device,” she said.

GM Bot was originally spotted in 2014. It, along with Bilal Bot, Cron Bot, and KNL Bot, all exploit a vulnerability found in older versions of Google’s Android operating system (prior to the release of Android 5.0) that enables activity hijacking.

In the case of Bilal Bot, Cron Bot, and KNL Bot, Kessem said, it’s unclear if they share the same base code as GM Bot. “There is a good chance they do, we just haven’t analyzed the samples yet,” she said.

The introduction of the newer GM Bot to black markets, X-Force reports, has created new market dynamics. Now greater tiered pricing options exist for attackers to choose from. Bilal Bot is the low cost leader at $3,000. CronBot, hit the market earlier this April, is available for $7,000 a month via a malware-as-a-service model.

The KNL Bot, priced at $7,000, offers the most similar feature set compared to GM Bot, X-Force reports. Unlike new entrants, KNL is nearly as old as GM Bot. “Its developers are selling the malware with a botnet control panel and highlight the potential monetization options. KNL Bot claims to allow remote attackers to gain control over the infected device, enabling them to obtain online banking credentials and payment card data,” wrote IBM X-Force in its report.

Latest variants of the overlay malware, Kessem said, appear to share a number of similar characteristics such as being sold and supported by the software’s developers directly. “Middlemen are growing less common. Software is now being supported by developers directly with regular updates, bug fixes and technical support,” she said.

Similar also is the overlay malware APK’s feature set that go beyond overlay screens and include: SMS hijacking, call forwarding and CC grabbing. Attackers also have the ability evade detection via a polymorphic code features that can recompile the malware periodically to avoid signature detection by security software.

“The upsurge in supply of different offerings, including low cost alternatives, may come in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have long become the domain of organized crime groups,” X-Force wrote. “Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation.”

IBM’s X-Force security researchers say overlay malware botnets are expected to proliferate due to to the malware’s proven ability to effectively steal financial credentials alongside other authentication and customer data from mobile devices.

The good news? “Overlay malware can easily be defeated,” Kessem said. She said Android application developers need to anticipate malware overlay attacks when creating applications. “Apps need to be smarter and protect against attacks or at the very least alert users if an overlay appear on their device.”

Suggested articles