Endpoint October 24, 2016
By Limor Kessem 3 min read

IBM X-Force Research detected a recently updated version of the GM Bot mobile banking malware designed to deploy on Android 6 operating systems and bypass new security applied to the platform. Android officially released this Marshmallow OS, code-named M, in October 2015. The GM Bot version we analyzed can work on all Android versions up to the Marshmallow distribution.

This new finding is notable since GM Bot’s developer was banned in underground boards where he used to sell the malware. A competitor claimed that the original developer has stopped selling it. However, it’s now obvious that GM Bot is still alive and continuously updated to circumvent Android security. Attackers have been actively using the new version in the wild.

GM Bot Continues to Evolve

Overlay Trojans, such as GM Bot and its derivatives, are designed to superimpose fraudulent message windows on top of banking and payment applications to phish credentials, credit card information and other personally identifiable information (PII). GM Bot’s spyware features also empower remote attackers to access transaction authorization codes sent via short message service (SMS), view device information, intercept, forward or initiate phone calls, or lock the device’s screen. Overlay malware is ultimately a cybercriminal’s way to gather victims’ online banking credentials and authentication factors all on one device.

In general terms, the overlay scheme works when the malware can:

  • Identify which app was opened by the user and which app is running in the foreground.
  • Launch a matching fake app screen on top of the running app.

The first task is often achieved by abusing Android getRunningTasks() application program interface (API). The option was deprecated starting with the Android Lollipop release, thus temporarily hampering the ability of overlay Trojans to figure out what the user is looking at.

Of course, cybercriminals operating Trojans of this type are not going to wait to find the next fix. Malware developers tried a variety of tricks to get past the new deprecation block, including:

  • Getting the current foreground application via getRunningAppProcesses(), which was introduced and worked on Android 5.0 and 5.1 (Android L);
  • Abusing the accessibility service to find out what’s running on the screen; and
  • In some cases, abusing the UsageStatsManager API.

GM Bot’s developer, known as GanjaMan, also found a way to bypass the deprecation block and implemented it in the most recent version of the malware. In this case, the developer did not go far into programming genius. Rather, he used an open-source method documented on GitHub and began implementing a process enumeration to find out which app was running in the foreground — a good, heuristic way to figure it out.

Worried about Mobile security? Read this white paper

In the screen capture below, we can see GM Bot calling on four functions. Next, it will choose how to get the foreground app, depending on the Android version running on the infected device:

The updated GM Bot is able to fetch the enumeration trick to get information on the app running in the foreground:

With that information available to guide it, GM Bot can once again fetch a matching fake overlay to present to the victim, even on devices running Android M.

GanjaMan Bounces Back

GM Bot is one of the best-known commercialized mobile malware codes in the overlay category. It first surfaced in October 2014 in underground discussion boards. The developer sold it continually to fraudsters until a GM Bot customer leaked the source code in February 2016.

The leak was apparently of no consequence to the developer, who promptly released a second version of the malware later that month. In his post, he indicated that the new version was the fruit of six months’ work, since he had rewritten he malware “from scratch.” He also claimed to have incorporated three different Android OS exploits for infecting user devices, thus tripling the original price of a GM Bot kit from $5,000 to $15,000.

But code development and customer service are two distinct art forms. Soon after the second release, GanjaMan was banned from the forums on which he sold his malware as a result of a customer dispute. Since then, GM Bot was believed to have vanished, but we did not expect the author to abandon his misdeeds altogether due to a mere forum ban.

IOCs

Details on the GM Bot sample we analyzed appear below:

  • Malware Sample MD5: da88bdcb3d53d3ce7ab9f81d15be8497
  • Unpacked Sample MD5: 12b4ae334b31c752f7f6174a1450e9da

For more information on how to protect your Android-based device from malware like GM Bot, refer to these helpful tips for mitigating malware.

 |  |  |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM

Limor Kessem is a Principal Consultant with X-Force’s Cyber Crisis Management, helping organizations prepare for and face crisis-level cyber-attacks. Previ...

More from Endpoint
Software Vulnerabilities   March 21, 2023

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Endpoint   March 20, 2023

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Intelligence & Analytics   February 24, 2023

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Intelligence & Analytics   February 21, 2023

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature