Mobile Malware Competition Rises in Underground Markets

The mobile malware marketplace has been bustling with activity in the past few months. Mobile malware is becoming a central part of underground dealings and an important fraud frontier that’s growing in size and sophistication.

A scan of recent events linked with mobile malware includes the GM Bot code leak, reported by IBM X-Force research in February, and the subsequent release of a new version of GM Bot in March 2016. With this later release, the GM Bot author tripled the price of the overlay malware from $5,000 to $15,000. By April, IBM X-Force researchers noticed that GM Bot’s vendor, who goes by the alias GanjaMan, got banned in the top underground markets due to a dispute with a customer.

GM Bot is one of the longest-standing overlay malware offerings in the Russian-speaking underground, but it is considered rather expensive. Meanwhile, other developers and malware vendors recognize the profit opportunity in the Android malware market, creating competition in the form of lower-cost alternatives on one hand and more sophisticated offerings on the other.

Three alternative offerings actively being sold in underground boards include Bilal Bot, Cron Bot and KNL Bot. These malicious codes are being peddled by their authors for prices ranging from $3,000 to $6,000. While they may not possess the same feature variety as GM Bot, all three claim to have the overlay screen capabilities and data theft ability, according to their vendors.

KNL Bot on the Rise

The KNL Bot offering is the most similar to GM Bot judging by its supposed feature list, yet its price point is about half that of GM Bot’s lower-end package. This bot has been around for at least as long as GM Bot has. Its developers are selling the malware with a botnet control panel.

They also highlight the malware’s potential monetization options: KNL Bot claims to allow remote attackers to gain control over the infected device, enabling them to obtain online banking credentials and payment card data. The figure below shows the translated KNL Bot forum post.

Extract from KNL Bot Forum Post (Translated from Russian by IBM Trusteer Research)

Bilal Bot: Low-Cost Basics

A second offering, dubbed Bilal Bot, is both cheaper and less advanced than malware like GM Bot or KNL. Bilal Bot’s price tag is currently around $3,000 and includes unlimited free bug fixes.

On the sales post, this malware’s authors scoff at the long list of functions enabled by competing black hats and link complex functionality with bot crashes and constant bugs. They further attempt to discredit other malware by claiming it is easily detectable because it has been around longer and offers poor technical support.

Although this malware is supposedly still in testing mode, Bilal Bot promises to focus on fraud-enabling capabilities, namely overlay screens, SMS hijacking, call forwarding and customized overlay packages. It also will reportedly enable the botmaster to edit and enable overlay screens from the control panel, then send them to the infected bots (see below for its control panel, showing phishing overlay screen edit option). Those functions are yet to be seen in the wild.

Bilal Bot's Control Panel Showing Phishing Overlay Screen Edit Option

Is Cron Bot a Serious Contender?

Cron Bot is a new mobile malware offering in the underground that first appeared on April 1, 2016. This newcomer claims to bring sophisticated malicious options reminiscent of PC Trojans to the Android platform. An extract from the vendor’s underground post lists the following features:

  • Has several modules: hVNC, stealer, injects, SOCKS5, loader, keylogger, cmd and more;
  • Works on every OS;
  • Has a small file size — only 400 KB; and
  • Comes with a builder.

The Android application package (APK) is a separate piece offering features common to other financially motivated malware. For example:

  • Functionality includes SMS hijacking, CC grabbing, all kinds of information gathering, call forwarding, USSD grab, overlay screens and other functions — all that you can squeeze from the device without root-level access;
  • Covert work on all versions of Android (excluding system privilege queries);
  • APK size of 100 KB;
  • Cleanup two times per week;
  • APK loader (20 KB); and
  • A polymorphic builder to ensure every new build is different, plus encryption of resources and strings.

The Cron Bot kit is sold in several pieces: the executable file ($4,000 per month), the APK ($4,000 per month) or a combination of both ($6,000 per month), with or without encryption services and hosting from the vendor ($7,000 per month for the entire package). Cron Bot’s authors are not selling the malware at this time; it is only offered for rent on a monthly basis.

This malware-as-a-service model is not rare. Many vendors attempt to protect their codes from being copied or shared with others by launching sales in rental mode.

Fraud protection doesn’t have to be an uphill battle – Read the white paper to learn more

The Mobile Malware Marketplace Is Going Strong

KNL, Cron and Bilal are only three current-day examples from a mobile malware marketplace that has been gaining rapid momentum on many levels. Mobile malware nowadays is picked up and operated by different ranks of cybercriminals — from professional, organized gangs to the least experienced forum readers who buy malware and rely on technical setup and support services from underground vendors.

The rising supply of different offerings, including low-cost alternatives, may be in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have become the domain of organized crime groups. Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation.

Awareness and Security Are Key

IBM X-Force researchers expect overlay malware botnets to further proliferate in the wild due to their ability to facilitate the theft of financial credentials alongside other authentication and customer identification elements. As the risks of infection and financial fraud rise, the combination of user awareness and mobile app security is key to protecting customers from mobile malware’s malice at a time where Android devices can be tricky to secure.

One must keep in mind that while Android-based devices mostly get infected with mobile malware when they download apps from third-party app stores, in some cases, malicious apps can make it into the official stores or get bundled with legitimate apps to infiltrate user devices.

Furthermore, ensuring that the operating system on any given Android device is up to date and secure is not always a simple feat due to the number of factors that play into that task. It is important to detect the signs and activity of mobile threats on the device. For example, rooted devices present higher risk, and those devices sporting root hiders are even more likely to contain malicious programs.

X-Force researchers noted that the new malware offerings have not been analyzed from attacks in the wild. However, these overlay screens are likely to be implemented in the same ways as previous malware and therefore may be detected by security solutions that bolster app security.

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.