The mobile malware marketplace has been bustling with activity in the past few months. Mobile malware is becoming a central part of underground dealings and an important fraud frontier that’s growing in size and sophistication.

A scan of recent events linked with mobile malware includes the GM Bot code leak, reported by IBM X-Force research in February, and the subsequent release of a new version of GM Bot in March 2016. With this later release, the GM Bot author tripled the price of the overlay malware from $5,000 to $15,000. By April, IBM X-Force researchers noticed that GM Bot’s vendor, who goes by the alias GanjaMan, got banned in the top underground markets due to a dispute with a customer.

GM Bot is one of the longest-standing overlay malware offerings in the Russian-speaking underground, but it is considered rather expensive. Meanwhile, other developers and malware vendors recognize the profit opportunity in the Android malware market, creating competition in the form of lower-cost alternatives on one hand and more sophisticated offerings on the other.

Three alternative offerings actively being sold in underground boards include Bilal Bot, Cron Bot and KNL Bot. These malicious codes are being peddled by their authors for prices ranging from $3,000 to $6,000. While they may not possess the same feature variety as GM Bot, all three claim to have the overlay screen capabilities and data theft ability, according to their vendors.

KNL Bot on the Rise

The KNL Bot offering is the most similar to GM Bot judging by its supposed feature list, yet its price point is about half that of GM Bot’s lower-end package. This bot has been around for at least as long as GM Bot has. Its developers are selling the malware with a botnet control panel.

They also highlight the malware’s potential monetization options: KNL Bot claims to allow remote attackers to gain control over the infected device, enabling them to obtain online banking credentials and payment card data. The figure below shows the translated KNL Bot forum post.

Bilal Bot: Low-Cost Basics

A second offering, dubbed Bilal Bot, is both cheaper and less advanced than malware like GM Bot or KNL. Bilal Bot’s price tag is currently around $3,000 and includes unlimited free bug fixes.

On the sales post, this malware’s authors scoff at the long list of functions enabled by competing black hats and link complex functionality with bot crashes and constant bugs. They further attempt to discredit other malware by claiming it is easily detectable because it has been around longer and offers poor technical support.

Although this malware is supposedly still in testing mode, Bilal Bot promises to focus on fraud-enabling capabilities, namely overlay screens, SMS hijacking, call forwarding and customized overlay packages. It also will reportedly enable the botmaster to edit and enable overlay screens from the control panel, then send them to the infected bots (see below for its control panel, showing phishing overlay screen edit option). Those functions are yet to be seen in the wild.

Is Cron Bot a Serious Contender?

Cron Bot is a new mobile malware offering in the underground that first appeared on April 1, 2016. This newcomer claims to bring sophisticated malicious options reminiscent of PC Trojans to the Android platform. An extract from the vendor’s underground post lists the following features:

  • Has several modules: hVNC, stealer, injects, SOCKS5, loader, keylogger, cmd and more;
  • Works on every OS;
  • Has a small file size — only 400 KB; and
  • Comes with a builder.

The Android application package (APK) is a separate piece offering features common to other financially motivated malware. For example:

  • Functionality includes SMS hijacking, CC grabbing, all kinds of information gathering, call forwarding, USSD grab, overlay screens and other functions — all that you can squeeze from the device without root-level access;
  • Covert work on all versions of Android (excluding system privilege queries);
  • APK size of 100 KB;
  • Cleanup two times per week;
  • APK loader (20 KB); and
  • A polymorphic builder to ensure every new build is different, plus encryption of resources and strings.

The Cron Bot kit is sold in several pieces: the executable file ($4,000 per month), the APK ($4,000 per month) or a combination of both ($6,000 per month), with or without encryption services and hosting from the vendor ($7,000 per month for the entire package). Cron Bot’s authors are not selling the malware at this time; it is only offered for rent on a monthly basis.

This malware-as-a-service model is not rare. Many vendors attempt to protect their codes from being copied or shared with others by launching sales in rental mode.

The Mobile Malware Marketplace Is Going Strong

KNL, Cron and Bilal are only three current-day examples from a mobile malware marketplace that has been gaining rapid momentum on many levels. Mobile malware nowadays is picked up and operated by different ranks of cybercriminals — from professional, organized gangs to the least experienced forum readers who buy malware and rely on technical setup and support services from underground vendors.

The rising supply of different offerings, including low-cost alternatives, may be in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have become the domain of organized crime groups. Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation.

Awareness and Security Are Key

IBM X-Force researchers expect overlay malware botnets to further proliferate in the wild due to their ability to facilitate the theft of financial credentials alongside other authentication and customer identification elements. As the risks of infection and financial fraud rise, the combination of user awareness and mobile app security is key to protecting customers from mobile malware’s malice at a time where Android devices can be tricky to secure.

One must keep in mind that while Android-based devices mostly get infected with mobile malware when they download apps from third-party app stores, in some cases, malicious apps can make it into the official stores or get bundled with legitimate apps to infiltrate user devices.

Furthermore, ensuring that the operating system on any given Android device is up to date and secure is not always a simple feat due to the number of factors that play into that task. It is important to detect the signs and activity of mobile threats on the device. For example, rooted devices present higher risk, and those devices sporting root hiders are even more likely to contain malicious programs.

X-Force researchers noted that the new malware offerings have not been analyzed from attacks in the wild. However, these overlay screens are likely to be implemented in the same ways as previous malware and therefore may be detected by security solutions that bolster app security.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…