Source Code For Android Banking Malware Leaked

The source code for banking malware GM Bot is leaked to cybercriminals who will likely recompile the free code to numerous new variants, according to IBM X-Force threat intelligence.

Source code for the potent Android malware GM Bot has been leaked to underground forums, according to IBM security experts. The impact, IBM X-Force threat intelligence says, will be an uptick in GM Bot variants and the number of attacks targeting financial applications on Android-based devices.

Limor Kessem, a cybersecurity analyst with IBM Trusteer, said the GM Bot source code was leaked on Dec. 15, according to her report that posted on Friday to IBM’s Security Intelligence website. Kessem wrote a GM Bot buyer released the code in order to gain respect among peers. The GM Bot source code released includes the malware, control panel, tutorials and server-side installation instructions.

“While GM Bot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game changer in the realm of mobile threats,” Kessem wrote. “Its source code leak, similar to the Zeus leak, is likely to give rise to many variations of this sort of malware.”

The GM Bot exploits a vulnerability found in older versions of Google’s Android operating system (prior to the release of Android 5.0) called activity hijacking. The malware allows attackers to create an overlay to be displayed on top of legitimate applications. The overlay then collects user’s authentication credentials and sends them to the attacker.

“Once that source code is out there anyone can recompile the malware and do whatever they want with it,” Kessem told Threatpost. “Having the source code is like having the blueprints. You can further develop it, you can copy it or give it away for free.”

GM Bot was originally spotted in 2014 and sold by cybercriminals on underground boards. According Kessem, the original vendor sold the rights to distribute GM Bot v1 to another cybercriminal who sold it for $500 under the name MazarBot. The code’s author is now selling GM Bot v2.0 in financial fraud-themed underground boards, Kessem wrote.

In the case of MazarBot, researchers at Heimdal Security reported earlier this month the bot was being sent via SMS and MMS messages in active attacks targeting Android devices. Recipients of the messages were then prompted to execute the install of an APK. If executed, the malware gives attackers root access to a phone allowing them to spy on almost every activity capable on an Android device, including establishing a backdoor connection, sending premium SMS messages, reading texts sent to the device, including bank authentication PINs.

Kessem compared the GM Bot’s code leak to similar releases of PC Trojans that include Zeus, SpyEye, and Carberp. But unlike the preceding Trojans, the differentiator is the turnkey nature of GM Bot and its ability to not just steal SMS codes or give cybercriminals overlay screen capability capabilities, but to do both.

What makes GM Bot unique is the deployment of overlay screens on top of running banking applications, Kessem wrote. The overlay, she wrote, tricks users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.

GM Bot is a one-stop fraud shop for criminals, she wrote. Besides the fake overlay window that mimics bank applications, GM Bot can not only intercept SMS messages but also send them from the targeted Android device as well as forward phone calls and give attackers control over the device via remote commands.

The GM Bot has a customizable aspect to the malware that gives attackers the ability to target new apps with additional fake overlay screen injections, Kessem wrote. Directly from the GM Bot control panel, cybercriminals can feed code into a victim’s phone user interface that can generate overlays for specific banking applications, Google Play or any other application the attacker chooses.

“Any injection looks like a perfect fake page, the goal of which is to obtain info from the unsuspecting victim — hence, a fake window that overlays on top of the main window and features the exact same design,” wrote cybercriminals in underground forum posts translated by IBM Security Trusteer. “The injection asks for the exact info that is required to access the online banking account and for transactions to be authorized.”

“We have seen this malware with banking Trojans for the PC like ZeuS,” she said. “This is the first meaningful source code leak for the mobile Trojan world.”

And just as Zeus morphed into the Trojans Citadel, Sphinx and KINS once the source code was revealed, Kessem said, GM Bot will also the basis for many new variants to come.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.