Pierluigi Paganini February 22, 2016

The experts at the IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked online.

Bad news for the Android community, the experts at IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it include the bot component and the control panel.

It seems that one of GM Bot’s buyers decided to leak the code online to enhance credibility in the underground boards.

He leaked the code in an encrypted archive, then he indicated he would give the password only to active forum members who contacted him.

Of course, the code rapidly spread within the criminal ecosystem, it is now free and online is available a tutorial and the instructions for the server-side installation.

The availability online of the source code of a malware represents a crucial moment in the life cycle of malicious codes. Once the code is leaked online, cyber criminal organizations can work on it to create new variants that could be offered for sale or rent.

The original creator of the Android malware has sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that is offering it for $500.

“According to X-Force threat intelligence, the code’s author moved on to working on a new version dubbed GM Bot v2.0, which is sold in financial fraud-themed underground boards.” states a blog post published by the X-Force threat intelligence.

GM Bot appeared in the wild in 2014, it was offered in the Russian underground as a powerful instrument for mobile phishing.

“This Android malware’s differentiating capability is its deployment of overlay screens on top of running banking applications, with the goal of tricking users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.” continues the post. 

The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.

In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:

1. They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
2. They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
3. They can forward phone calls to a remote attacker.
4. They have spyware features and can control the device via remote commands.

The experts at the IBM have analyzed only the control panel because many other organizations and security firms already produced a detailed analysis of malware.

The most interesting feature discovered by the experts in the GM Bot’s botnet administration panel is the possibility to create and deploy new injections to infected user devices.

Another interesting component of the Botnet is the “Search and Stats” section that allows operators to analyze their database that includes stolen information, credit card details, lists of apps installed on infected devices, bank accounts the victims and other info.

Let me suggest to give a look to the interesting analysis published by IBM that also includes the indicators of compromise.

Pierluigi Paganini

(Security Affairs – Botnet, GM Bot)