In a recent email I received to my personal inbox, I was informed that one of my blogs covering mobile malware caught the attention of a person claiming to be the developer of Android malware Bilal Bot. Why would a developer of crimeware be contacting one of the largest security vendors in the world? You can imagine my surprise when I learned he (or she) was actually seeking my help to better highlight the malware in our security blog.
Bilal Bot is an Android malware app designed to enable the theft of data from mobile devices and their users for the purpose of online banking fraud, card fraud and identity theft.
Earlier this year, I described Bilal Bot as part of a blog post about increased competition in the underground mobile malware market, noting that Bilal Bot offered a lower cost/beta version that was an alternative to more advanced mobile malware, such as GM Bot.
So, why did the alleged malware developer feel the need to read and email me about my blog? Let’s take a look at that peculiar email:
According to the email, the author is dissatisfied with how we described his malware and that of his competitors. He seems to think we are not helping by omitting a piece of underground drama: Two of his competing vendors were banned from the underground forums where they once sold GM Bot and KNL Bot.
For what it’s worth, we chose not to report that because both these Trojan developers can easily return to the forum after making amends with the buyers and forum admin. Furthermore, they can sell the malware on other boards and very likely still distribute it to buyers referred to them by their dubious customers, even if not openly over forum pages.
Additionally, the alleged author wanted to inform us that Bilal Bot has now moved up from the beta version, resulting in increased features and pricing. He was not happy that we referred to it as low cost; to him, that constitutes “false information” about his product. Amazingly, he did not hesitate to contact an IBM Security employee to have that fixed!
As I sit here still shaking my head at this, I might add that the supposed author offered to give an interview to provide us with the most up to date Bilal Bot information.
Well, sure, Bilal Bot dev, we would be happy to conduct that interview. Bear in mind, though, that we may require you to verify your real-life identity and location.
Dissecting the Email
After looking into this further, we confirmed that an updated Bilal Bot post went up on underground boards several weeks after the email was originally sent to me, which may indicate that the person who emailed me is indeed the real developer.
It’s worth noting that the email itself came from a mail.ru address, possibly suggesting that the malware author, or a person claiming to be the dubious developer, is Russian, even though the vendor sells Bilal Bot in English.
One fact, however, did not jive: Bilal Bot’s underground vendor took pains to indicate his one true email address to potential buyers in the sales post, declaring that any other email address claiming to be him is an impostor. His official email as listed in the sales post was not in the mail.ru domain, so we cannot be certain that the email I received was indeed from the original malware author.
That said, whoever sent it did seem to have a strong motivation to update the information about the malware on our blog.
Was Bilal Bot Really Updated?
Was Bilal Bot indeed updated? Possibly. The first Bilal Bot post appeared in April, when it was in beta version, and the second one appeared in late May. The second post indicated that the malware’s capabilities had expanded since the beta version to include:
- Access to existing SMS content;
- Eavesdropping on incoming SMS messages;
- Covertly hijacking and exfiltrating SMS messages;
- Call forwarding;
- Overlay screen integration; and
- Admit panel included.
Bilal Bot’s vendor indicated that the malware is undetectable to antivirus clients and will remain hidden on the infected device’s app screen. It will, however, show on the process list, but it cannot be removed or killed by the user.
According to the post, overlay screens can be launched as the top-most activity upon access to any app and upon any type of action victims might take (opening an app, screen unlocking, network switching, etc.).
The developer plans to add embedded Tor connectivity and an SMS spammer that can flood a determined number. According to the post, Bilal Bot works on Android distributions from v4 to v6 inclusive. Unlike malware that can communicate via messages, Bilal Bot’s operation requires internet connectivity or it will go offline.
Like other mobile malware, this Trojan’s Android application package (APK) can be bound with other, more legitimate-looking apps, Trojanized games, etc. Bilal Bot samples are detected in the wild as overlay malware, based on their malicious mechanism and M.O.
Underground Malware Community on the Rise
It is very interesting to see how the mobile malware community is growing in the underground, resembling the PC Trojans scene the same forums used to feature just five years ago. Developers are not only selling malware directly to users on the forums, but they are also brazenly contacting a security vendor to make sure that all information about their nefarious products is accurate.
If I had to guess, I would say what bothered Bilal Bot’s vendor the most is that my original blog post called his malware a “low-cost option” compared to GM Bot. It is very possible that the price has gone up since the malware moved forward from the beta version, and the developer does not want potential buyers to demand the lower price they may have read about somewhere else.
Mobile Malware: A Top Financial Threat
Mobile malware has indeed become a very popular product in underground boards. Looking at the previous quarters this year, researchers reported over 3.5 million installations of malicious app packages in the second quarter of 2016, which is 1.7 times more than the amount logged during the previous quarter. These statistics continually alert service providers and their customers to rising risk levels and the prevalence of threats on mobile devices.
Per IBM Trusteer data, the mobile banking malware category ranked third in Q2 2016, representing 15 percent of threats targeting users. Apps in this category are linked with online banking fraud — including overlay malware like Bilal Bot — as well as SMS hijackers that steal two-factor authentication codes and phishing apps purporting to be legitimate bank applications. In some cases, these Trojans even delete the bank’s genuine app and replace it with a malicious version.
Reinforcing our statistics with real-world reporting, an FBI spokesperson said the government agency is seeing malware that specifically targets banking apps for the sole purpose of stealing account credentials.
Within this context, Bilal Bot has similar overlay capabilities and fraud-enabling features like some of the most prolific mobile banking malware active in 2016. This category includes malware such as Marcher, GM Bot, FakeBank, SlemBunk, Bankosy, AceCard, Asacub and, most recently, Fanta SDK.
Securing Our Mobile Devices
Nowadays, mobile devices are probably the most looked-at piece of technology end users have in their possession; the average person looks at his or her phone 46 times a day. As for banking with our phones, studies show that 38 percent of consumers interact with a bank primarily by mobile device, and 63 percent use phones to carry out standard banking tasks. In other words, mobile banking is being used more than ever before.
With this in mind, cybercriminals are not going to miss out on opportunities to get users to open malicious messages or emails, click on evil links or download a innocuous-looking apps from dubious sources. Users can foil most of their attacks by following some familiar security steps:
- Update your phone’s operating system as soon as a new update is available. Delete apps you no longer use and always update those you do.
- Install a security app on your device.
- Treat unsolicited SMS and emails as spam and never open them, follow links, open attachments or heed their warnings.
- If ever in doubt about a communication, call your service provider directly using a number you know to be genuine. Criminals like using stressful ploys, such as informing users their bank/credit card accounts have been disabled. Don’t take the bait — call your bank directly to find out.
- Don’t enable sideloading on your device.
- To keep it more secure, don’t root/jailbreak your device.
- Don’t download apps from unofficial app stores.
- Don’t grant applications admin permissions. If an app requires that sort of control, it is likely something you don’t want on your device.
- Malicious apps often ask for your location, access to SMS, access to calls and access to services that cost money. If you downloaded a legitimate app that needs all the above, make sure it actually uses this information for the services it offers you.
- Be vigilant to any odd behavior the device may display. Mobile malware apps can lock the device for a ransom or to keep users out while fraudulent activity takes place. If you discover your device is suddenly inaccessible, scan it for ransomware and check your monthly bill and bank account.