IBM X-Force threat intelligence has found that the source code for Android malware GM Bot was leaked on an underground board in December 2015. The leaked code for the malware and its control panel have since been further propagated to different users, making this popular Android Trojan accessible to fraudsters for free, with a tutorial and server-side installation instructions to match.
GM Bot will be available to cybercriminals who can recompile the code, create new variants and use the leaked sources to build, sell or deploy this malware for fraud scenarios.
A Mobile Source Code Leak
How was this source code leaked? And why? In this particular case, it looks like the leak didn’t result from a dispute between criminals. Instead, it looks like it was the choice of one of GM Bot’s buyers. When it comes to cybercriminals selling malware in underground venues, black-hat vendors simply cannot control what their buyers may do with the malware once it is in their possession. As they say: Leaks happen!
The exposure of GM Bot’s code is comparable to the source code leaks of PC Trojans that include Zeus, SpyEye, Carberp and others. While GM Bot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game changer in the realm of mobile threats. Its source code leak, similar to the Zeus leak, is likely to give rise to many variations of this sort of malware.
The reasoning behind leaking the code appears to be one buyer’s personal desire to enhance credibility in the underground boards. To be considered more credible or up their rank, criminals usually have to give something back to the fraudster community they’re a part of; in this case, it was a tutorial explaining the use of mobile malware for online banking fraud.
The fraudster that leaked the code threw in an encrypted archive file of the GM Bot malware source. He indicated he would give the password to the archive only to active forum members who approached him. Those who received the password in turn passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list.
Where does that leave GM Bot’s creator? The original vendor already sold the rights to distribute what’s considered GM Bot v1 to another cybercriminal that peddles it in the underground for $500. That version is called MazarBot, and it is just as popular among cybercriminals.
According to X-Force threat intelligence, the code’s author moved on to working on a new version dubbed GM Bot v2.0, which is sold in financial fraud-themed underground boards.
About Android’s GM Bot
GM Bot is mobile malware that emerged in late 2014 in the Russian-speaking cybercrime underground. This Android malware’s differentiating capability is its deployment of overlay screens on top of running banking applications, with the goal of tricking users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.
Beyond that overlay screen capability, GM Bot can intercept SMS messages sent to the mobile devices it infects and act like spyware that grabs and exfiltrates data from infected devices.
This makes GM Bot a banking Trojan for the Android OS since it enables cybercriminals to gather enough information for illicit money transfers out of victim accounts. GM Bot further allows criminals to customize fake screens, which enables them to harvest payment card information.
This turnkey capability is the true differentiator. Previous mobile malware — before overlay became commercially available to fraudsters — could steal SMS codes, but those would have been meaningless without phishing schemes or a Trojan on the victim’s PC to steal access credentials. The reverse was also true: Phishers and PC Trojan operators could not facilitate fraudulent transactions without mobile malware to intercept the SMS codes or calls from the bank.
In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:
- They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
- They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
- They can forward phone calls to a remote attacker.
- They have spyware features and can control the device via remote commands.
An Example of Cybercrime Collaboration
In the information security sphere, we often hear about cybercriminals sharing information and collaborating in underground boards. This case is an excellent example: Actors have access to cybercrime advice from a fraudster who knows his way around online fraud, along with the actual malware source code to help readers set up their own mobile botnet.
While it is useful, the advice is not meant for the novice crowd. The post illustrates the value of the malware and how to monetize it, but the leaked malware and control panel source codes would not mean much to the nontechnical, inexperienced fraudster readers who never compiled malicious code on their own.
Overall, the post’s author is addressing cybercriminals who either actively use banking Trojans or understand Trojan-facilitated online banking fraud.
The subtext in the author’s post is clear: Using mobile malware is cheaper and safer than using banking Trojans for those who target personal bank accounts. In the post, the fraudster goes over some common hurdles encountered by cybercriminals who do not have access to victims’ genuine devices or operate Windows endpoint-based botnets. Those include the challenge of two-factor authentication codes sent via SMS, telephone banking call centers requesting replies to secret questions, having the right accent when calling an English-speaking bank or needing to forward a call without changing anything in the victim’s bank account.
Per the post, the solution to these fraud prevention measures is not to outsource the necessary help to cybercrime-as-a-service (CaaS) vendors but rather to buy a mobile bot and use it to harvest the necessary information.
The online banking scenario in the resulting cases is going to be account takeover — the initiation of the fraudulent transaction from a computer or mobile device the fraudster owns.
Inside GM Bot’s Control Panel
The GM Bot mobile Trojan was initially analyzed by CERT Polska in October 2015. The malware was since detected and renamed by a few other security vendors, but the actual code base is the same and not considered to be a different Trojan. Some aliases GM Bot received are SlemBunk, Bankosy, Acecard and Slempo.
Since technical analysis of this malware is already available from different sources, IBM X-Force mobile threat researchers only examined the leaked source and control panel.
GM Bot’s botnet administration panel was rather interesting in its design to facilitate control over the incoming stolen data and further allow the criminal to create and deploy new injections to infected user devices.
This section focuses on the control panel’s options and demonstrates the control and data collection capabilities cybercriminals have on infected devices once complex malware is installed.
GM Bot’s Remote Commands
The following command examples can be sent from a GM Bot controller to the infected device directly from the attacker’s command-and-control (C&C) server. Each command is rather self-explanatory and shows that malware can control the SMS relay from infected mobiles, as well as the call forwarding. Banking malware uses these control options to deliver two-factor authentication codes and phone calls to the attacker’s number with no need to modify any details in the victim’s account.
||Begin eavesdropping on incoming SMS content.
||Stop eavesdropping on incoming SMS content.
||Begin intercepting SMS messages.
||Stop intercepting SMS messages.
||Enable call forwarding from the infected device.
||Begin forwarding calls from the infected device.
||Stop call forwarding.
||Disable the call forwarding option.
||Lock the screen.
||Unlock the screen.
||Add phone number to blacklist.
||Remove phone number from blacklist.
||Clear the blacklist.
||Check the user’s location via GPS.
||Send information about user’s apps.
||Wipe data from the infected device.
A cybercriminal operating GM Bot can also lock the phone’s screen and delay the victim’s ability to access the device. This is part of the tactics used by fraudsters when they plan to intercept two-factor authorization codes sent from the bank and want to prevent the victim from questioning the SMS.
GM Bot is the sort of malware that also comes with spyware features; as such, it can get information from the device’s GPS location services or wipe user data from the device — two features that are easily sent by command lines.
Botnet Search and Stats
Reminiscent of the Zeus Trojan’s control panel, GM Bot botnet operators can also search their database for records that interest them, which can be sorted by the infected device’s origin country. Records include stolen information that is parsed into credit card details, lists of apps installed on infected devices, bank accounts the victims hold, other types of compromised accounts collected by the malware, data from online forms filled out by the victims and data stolen by customized HTML forms pushed to the victims.
SMS Stealing and Spamming Module
As mentioned earlier, GM Bot gains control over the infected phone’s SMS relay. With that capability, it can eavesdrop, intercept and send out new SMS messages as it pleases. In Android OS versions above v4.4, victims can see the SMS messages they receive, which means they might suspect something and contact their bank/service providers.
Controlling the SMS relay also means fraudsters can mass-send SMS from that victim’s device (spamming or sending to premium numbers). The attacker can blacklist certain numbers from reaching the victim, such as the bank’s customer service numbers, for example. The options are available to the attacker from the control panel. Each option allows for further parameter definition in the simplistic user interface.
The Injection Configuration Module
The customizable part of the GM Bot is its ability to target new apps and entities by setting up new fake overlay screens (injections) directly from the control panel. That option is enabled by simply feeding the code into the user interface and dispatching it to the infected devices. The specific code will pop up upon the launch of the applications specified in the App Filter section.
Note that for the more recent overlay Trojans circulating in the wild, some overlay windows are static, hard-coded into the malware. Additional screens are dynamically fetched from the configuration and the attacker’s C&C server in real time. They are launched as soon as infected users open the target banking application, their Google Play store app or any other app the attacker chooses to target.
GM Bot Indicators of Compromise
Some hashes from the samples X-Force mobile threat researchers worked with appear below. While the X-Force Exchange is kept up to date, C&C server addresses and the list of targeted entities can change from one attacker to the next since GM Bot is commercial malware that appears in a variety of versions. C&C sever addresses may or may not be live.
Some extracts from the underground forum post appear in this appendix. The extracts were translated from Russian by IBM Security Trusteer and modified slightly for readability.
“Essentially, the main use for Android malware is the interception of SMS.”
“The majority of us have an online banking app on our phones. Imagine that your phone is now infected by malware. The attacker can now read content on your phone, but that is not enough. Now we have something that is just like injections! That’s not the injections we’re used to seeing, no. We’re not interested in browsers…”
“So how do Android injections work? What’s an app injection like? Nothing unusually difficult! Any injection looks like a perfect fake page, the goal of which is to obtain info from the unsuspecting victim — hence, a fake window that overlays on top of the main window and features the exact same design. The injection asks for the exact info that is required to access the online banking account and for transactions to be authorized.
The account holder does the following:
1. User unwittingly opens a bank app
2. Our injection is momentarily overlaid on top of the app
3. Holder enters their login info
4. Info is sent to admin panel!”