After news from IBM X-Force about the leak of Android malware GM Bot’s source code, the author of GM Bot released a second version of the malware. News of v2 came from the official GM Bot developer and vendor, a user going by the alias GanjaMan in venues where the malware is sold.
According to an underground forum post authored by GM Bot’s vendor, it took six months’ worth of work for this updated version of GM Bot. GanjaMan adds that v2 was “written from scratch,” perhaps in order to emphasize that it does not use the previous version’s code, which was recently leaked by one of its dubious customers.
Evolving With Exploitation Tools
An interesting point mentioned by the post’s author is his claim that he has incorporated three different Android OS exploits for infecting user devices. At this time, the exploits the vendor mentions are known and have patches, so fully up-to-date devices should be protected against such vulnerabilities. However, according to the post, additional exploits are being examined and will be added in the coming months.
The developer also promises a future option to open a Tor communication channel from infected devices and having root admin control that cannot ever be undone by the user. Building malware that roots the infected device can allow an attacker to download additional malware into the device and control it remotely.
Calling on Early Adopters
The new mobile malware is apparently a testing phase of sorts at this time, but early adopters are not getting a discount. The malware developer offers a $15,000 package for the malware and exploits, plus an ongoing $2,000 rental fee starting from the second month onward. Those who wish to skip the exploits pack can opt for the malware-only package at $8,000, plus a $1,200 monthly rental fee from the second month on. The price has tripled compared to the $5,000 price tag for the previous version.
Malware pricing with monthly fees in tow are reminiscent of the sale model of major banking Trojans such as Zeus, SpyEye and Citadel, when those kits were peddled by their developers a few years back.
Judging by past cases of underground malware vendors, the monthly rental fees are most likely technical support fees. Trojan vendors have been known to run into debilitating operational issues as a result of having to provide support to their buyers without getting paid for the extra time spent on resolving issues, bugs and technical questions. The monthly fee concept helps the developers hire tech support agents to handle requests while they continue to develop and sell the malware.
On top of recruiting customers, as he puts it, GanjaMan is also seeking professional pay-per-install accomplices and cybercriminals who can help with directing Web traffic in countries his buyers would be interested in targeting.
It is not surprising to see a malware developer openly calling on accomplices to partner with as part of the infection chain. The installs market, where individuals can be paid for each successful malware installation they facilitate, has always been part of the cybercrime supply chain. In many cases, fraudsters who specialize in black-hat search engine optimization (SEO), spam botnets, exploit kits, adware, malicious Web toolbars and/or malicious landing pages sell installation services to other criminals in Dark Web forums or through an underground e-commerce website.
About GanjaMan’s Malware Work
The developer who goes by the GanjaMan alias appears to have been authoring and selling different pieces of Android malware in the underground for about two years at the time of this writing.
Overlay spyware like GM Bot is designed to plaster fake message windows on top of banking and payment apps to phish credentials, payment card details, VBV/MSC codes and user PII. This alone makes overlay malware dangerous. But beyond the phishing capability, GM Bot’s spyware features enable a remote attacker to steal transaction authorization codes sent via SMS, exfiltrate device information, intercept or forward incoming phone calls, initiate calls and even lock the device’s screen.
The first malware product released by this actor, GM Bot v1, was advertised in underground fraud boards in October 2014. At the time, GM Bot was the only commercial mix of spyware, a SMS hijacking tool and overlay-type malware to be offered to cybercriminals in the Dark Web.
According to X-Force researchers who follow the evolution of mobile malware in the underground, the distribution rights to the malware were sold to another developer, who in turn changed its name to Mazar Bot. That actor continues to sell and develop it under that name.
In March 2015, the original GM Bot developer released his next malicious offering, this time naming it Skunk. The malware, which is most likely what’s known as GM Bot today, was designed to be an overlay Trojan that dynamically pulls HTML/JS screens from a remote server in real time. While it cannot modify its target apps on the fly, the dynamic ability to get new overlay screens from a remote server made the malware more flexible than any other similar option that had to include or hard-code static images into its files.
Another offering from this developer was GM Loader, a malware downloader designed to help criminals fetch whatever they wish from the mobile devices they infect. This practice is very common in PC Trojans and is especially useful for fraudsters who get paid for each successful installation they facilitate.
GM Bot’s code base has been used elsewhere and is associated with other aliases such as SlemBunk, Bankosy and AceCard, all of which refer to the same type of malware. The main differences between these Trojans are the operators who manage them, the infection process and the eventual uses of the stolen data the Trojans exfiltrate to their nefarious owners.
With the leak of GM Bot’s source code in December 2015, IBM X-Force researchers expect to see many more variations of this malware and a sharp rise in the number of criminals operating overlay Trojans in the coming months.
Mitigating Mobile Threats
IBM Security has worked with customers to study and detect malware like GM Bot. Its security tools and extensive research can be of help to banks and organizations that wish to learn more about this high-risk threat.
Bolstering application security in your organization can help keep your users safe from evolving threats such as GM Bot and other overlay malware. With protection layers designed to address the ever-changing threat landscape, organizations from all sectors can benefit from IBM Security’s malware intelligence, which provides real-time insight into fraudster tools, techniques and capabilities.
Read the white paper: Accelerating growth and digital adoption with seamless identity trust
Principal Consultant, X-Force Cyber Crisis Management, IBM