The mobile malware marketplace has been bustling with activity in the past few months. Mobile malware is becoming a central part of underground dealings and an important fraud frontier that’s growing in size and sophistication.

A scan of recent events linked with mobile malware includes the GM Bot code leak, reported by IBM X-Force research in February, and the subsequent release of a new version of GM Bot in March 2016. With this later release, the GM Bot author tripled the price of the overlay malware from $5,000 to $15,000. By April, IBM X-Force researchers noticed that GM Bot’s vendor, who goes by the alias GanjaMan, got banned in the top underground markets due to a dispute with a customer.

GM Bot is one of the longest-standing overlay malware offerings in the Russian-speaking underground, but it is considered rather expensive. Meanwhile, other developers and malware vendors recognize the profit opportunity in the Android malware market, creating competition in the form of lower-cost alternatives on one hand and more sophisticated offerings on the other.

Three alternative offerings actively being sold in underground boards include Bilal Bot, Cron Bot and KNL Bot. These malicious codes are being peddled by their authors for prices ranging from $3,000 to $6,000. While they may not possess the same feature variety as GM Bot, all three claim to have the overlay screen capabilities and data theft ability, according to their vendors.

KNL Bot on the Rise

The KNL Bot offering is the most similar to GM Bot judging by its supposed feature list, yet its price point is about half that of GM Bot’s lower-end package. This bot has been around for at least as long as GM Bot has. Its developers are selling the malware with a botnet control panel.

They also highlight the malware’s potential monetization options: KNL Bot claims to allow remote attackers to gain control over the infected device, enabling them to obtain online banking credentials and payment card data. The figure below shows the translated KNL Bot forum post.

Bilal Bot: Low-Cost Basics

A second offering, dubbed Bilal Bot, is both cheaper and less advanced than malware like GM Bot or KNL. Bilal Bot’s price tag is currently around $3,000 and includes unlimited free bug fixes.

On the sales post, this malware’s authors scoff at the long list of functions enabled by competing black hats and link complex functionality with bot crashes and constant bugs. They further attempt to discredit other malware by claiming it is easily detectable because it has been around longer and offers poor technical support.

Although this malware is supposedly still in testing mode, Bilal Bot promises to focus on fraud-enabling capabilities, namely overlay screens, SMS hijacking, call forwarding and customized overlay packages. It also will reportedly enable the botmaster to edit and enable overlay screens from the control panel, then send them to the infected bots (see below for its control panel, showing phishing overlay screen edit option). Those functions are yet to be seen in the wild.

Is Cron Bot a Serious Contender?

Cron Bot is a new mobile malware offering in the underground that first appeared on April 1, 2016. This newcomer claims to bring sophisticated malicious options reminiscent of PC Trojans to the Android platform. An extract from the vendor’s underground post lists the following features:

  • Has several modules: hVNC, stealer, injects, SOCKS5, loader, keylogger, cmd and more;
  • Works on every OS;
  • Has a small file size — only 400 KB; and
  • Comes with a builder.

The Android application package (APK) is a separate piece offering features common to other financially motivated malware. For example:

  • Functionality includes SMS hijacking, CC grabbing, all kinds of information gathering, call forwarding, USSD grab, overlay screens and other functions — all that you can squeeze from the device without root-level access;
  • Covert work on all versions of Android (excluding system privilege queries);
  • APK size of 100 KB;
  • Cleanup two times per week;
  • APK loader (20 KB); and
  • A polymorphic builder to ensure every new build is different, plus encryption of resources and strings.

The Cron Bot kit is sold in several pieces: the executable file ($4,000 per month), the APK ($4,000 per month) or a combination of both ($6,000 per month), with or without encryption services and hosting from the vendor ($7,000 per month for the entire package). Cron Bot’s authors are not selling the malware at this time; it is only offered for rent on a monthly basis.

This malware-as-a-service model is not rare. Many vendors attempt to protect their codes from being copied or shared with others by launching sales in rental mode.

The Mobile Malware Marketplace Is Going Strong

KNL, Cron and Bilal are only three current-day examples from a mobile malware marketplace that has been gaining rapid momentum on many levels. Mobile malware nowadays is picked up and operated by different ranks of cybercriminals — from professional, organized gangs to the least experienced forum readers who buy malware and rely on technical setup and support services from underground vendors.

The rising supply of different offerings, including low-cost alternatives, may be in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have become the domain of organized crime groups. Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation.

Awareness and Security Are Key

IBM X-Force researchers expect overlay malware botnets to further proliferate in the wild due to their ability to facilitate the theft of financial credentials alongside other authentication and customer identification elements. As the risks of infection and financial fraud rise, the combination of user awareness and mobile app security is key to protecting customers from mobile malware’s malice at a time where Android devices can be tricky to secure.

One must keep in mind that while Android-based devices mostly get infected with mobile malware when they download apps from third-party app stores, in some cases, malicious apps can make it into the official stores or get bundled with legitimate apps to infiltrate user devices.

Furthermore, ensuring that the operating system on any given Android device is up to date and secure is not always a simple feat due to the number of factors that play into that task. It is important to detect the signs and activity of mobile threats on the device. For example, rooted devices present higher risk, and those devices sporting root hiders are even more likely to contain malicious programs.

X-Force researchers noted that the new malware offerings have not been analyzed from attacks in the wild. However, these overlay screens are likely to be implemented in the same ways as previous malware and therefore may be detected by security solutions that bolster app security.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today