The mobile malware marketplace has been bustling with activity in the past few months. Mobile malware is becoming a central part of underground dealings and an important fraud frontier that’s growing in size and sophistication.

A scan of recent events linked with mobile malware includes the GM Bot code leak, reported by IBM X-Force research in February, and the subsequent release of a new version of GM Bot in March 2016. With this later release, the GM Bot author tripled the price of the overlay malware from $5,000 to $15,000. By April, IBM X-Force researchers noticed that GM Bot’s vendor, who goes by the alias GanjaMan, got banned in the top underground markets due to a dispute with a customer.

GM Bot is one of the longest-standing overlay malware offerings in the Russian-speaking underground, but it is considered rather expensive. Meanwhile, other developers and malware vendors recognize the profit opportunity in the Android malware market, creating competition in the form of lower-cost alternatives on one hand and more sophisticated offerings on the other.

Three alternative offerings actively being sold in underground boards include Bilal Bot, Cron Bot and KNL Bot. These malicious codes are being peddled by their authors for prices ranging from $3,000 to $6,000. While they may not possess the same feature variety as GM Bot, all three claim to have the overlay screen capabilities and data theft ability, according to their vendors.

KNL Bot on the Rise

The KNL Bot offering is the most similar to GM Bot judging by its supposed feature list, yet its price point is about half that of GM Bot’s lower-end package. This bot has been around for at least as long as GM Bot has. Its developers are selling the malware with a botnet control panel.

They also highlight the malware’s potential monetization options: KNL Bot claims to allow remote attackers to gain control over the infected device, enabling them to obtain online banking credentials and payment card data. The figure below shows the translated KNL Bot forum post.

Bilal Bot: Low-Cost Basics

A second offering, dubbed Bilal Bot, is both cheaper and less advanced than malware like GM Bot or KNL. Bilal Bot’s price tag is currently around $3,000 and includes unlimited free bug fixes.

On the sales post, this malware’s authors scoff at the long list of functions enabled by competing black hats and link complex functionality with bot crashes and constant bugs. They further attempt to discredit other malware by claiming it is easily detectable because it has been around longer and offers poor technical support.

Although this malware is supposedly still in testing mode, Bilal Bot promises to focus on fraud-enabling capabilities, namely overlay screens, SMS hijacking, call forwarding and customized overlay packages. It also will reportedly enable the botmaster to edit and enable overlay screens from the control panel, then send them to the infected bots (see below for its control panel, showing phishing overlay screen edit option). Those functions are yet to be seen in the wild.

Is Cron Bot a Serious Contender?

Cron Bot is a new mobile malware offering in the underground that first appeared on April 1, 2016. This newcomer claims to bring sophisticated malicious options reminiscent of PC Trojans to the Android platform. An extract from the vendor’s underground post lists the following features:

  • Has several modules: hVNC, stealer, injects, SOCKS5, loader, keylogger, cmd and more;
  • Works on every OS;
  • Has a small file size — only 400 KB; and
  • Comes with a builder.

The Android application package (APK) is a separate piece offering features common to other financially motivated malware. For example:

  • Functionality includes SMS hijacking, CC grabbing, all kinds of information gathering, call forwarding, USSD grab, overlay screens and other functions — all that you can squeeze from the device without root-level access;
  • Covert work on all versions of Android (excluding system privilege queries);
  • APK size of 100 KB;
  • Cleanup two times per week;
  • APK loader (20 KB); and
  • A polymorphic builder to ensure every new build is different, plus encryption of resources and strings.

The Cron Bot kit is sold in several pieces: the executable file ($4,000 per month), the APK ($4,000 per month) or a combination of both ($6,000 per month), with or without encryption services and hosting from the vendor ($7,000 per month for the entire package). Cron Bot’s authors are not selling the malware at this time; it is only offered for rent on a monthly basis.

This malware-as-a-service model is not rare. Many vendors attempt to protect their codes from being copied or shared with others by launching sales in rental mode.

The Mobile Malware Marketplace Is Going Strong

KNL, Cron and Bilal are only three current-day examples from a mobile malware marketplace that has been gaining rapid momentum on many levels. Mobile malware nowadays is picked up and operated by different ranks of cybercriminals — from professional, organized gangs to the least experienced forum readers who buy malware and rely on technical setup and support services from underground vendors.

The rising supply of different offerings, including low-cost alternatives, may be in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have become the domain of organized crime groups. Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation.

Awareness and Security Are Key

IBM X-Force researchers expect overlay malware botnets to further proliferate in the wild due to their ability to facilitate the theft of financial credentials alongside other authentication and customer identification elements. As the risks of infection and financial fraud rise, the combination of user awareness and mobile app security is key to protecting customers from mobile malware’s malice at a time where Android devices can be tricky to secure.

One must keep in mind that while Android-based devices mostly get infected with mobile malware when they download apps from third-party app stores, in some cases, malicious apps can make it into the official stores or get bundled with legitimate apps to infiltrate user devices.

Furthermore, ensuring that the operating system on any given Android device is up to date and secure is not always a simple feat due to the number of factors that play into that task. It is important to detect the signs and activity of mobile threats on the device. For example, rooted devices present higher risk, and those devices sporting root hiders are even more likely to contain malicious programs.

X-Force researchers noted that the new malware offerings have not been analyzed from attacks in the wild. However, these overlay screens are likely to be implemented in the same ways as previous malware and therefore may be detected by security solutions that bolster app security.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read