Android users are being warned to expect a spike in malware attacks after the source code of a highly customisable and adaptable exploit kit known as GMBot was leaked to the dark web. Uncovered by security researchers at IBM, the leaked code, its control panel and even an instruction manual have now started to spread online – meaning anyone can become a mobile malware kingpin with ease.
GMBot is a mobile malware that emerged in late-2014 in the Russian cyber-underground. Despite going under a slew of aliases – including SlemBunk, Bankosy, Acecard and Slempo and MazarBot – the malware is notorious in criminal circles as being an extremely effective banking Trojan and spyware tool. Indeed, the researchers at IBM have branded it a 'one-stop shop' for Android attacks.
The software is known for its ability to run 'overlay screens' on top of applications in order to trick users into entering their usernames and passwords, which are then sent to the hacker's remote server. Now GMBot, IBM warns, is open for anyone to recompile the code, create new variants and use the leaked sources to build, sell or deploy this malware for fraud scenarios – all for as little as $500 (£353).
"The exposure of GMBot's code is comparable to the source code leaks of PC Trojans that include Zeus, SpyEye, Carberp and others," explained Limor Kessem, cyber intelligence expert at IBM.
"While GMBot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game-changer in the realm of mobile threats. Its source code leak, similar to the Zeus leak, is likely to give rise to many variations of this sort of malware."
The capabilities of GM Bot
Indeed, it was recently revealed that MazarBot, a variant of GMBot, was found to be actively attacking Android smartphones, giving attackers full administrative rights to monitor and control nearly every aspect of the device. The manipulative and persistent piece of malware takes hold via a malware-ridden SMS/MMS message that, once clicked, spreads a torrent of alarming exploits such as anonymously accessing the web, putting the phone into sleep mode and even fully erasing all content from the device.
Yet that's only one aspect of the malware. A spate of commands can be sent from a GMBot controller to the infected device directly from the attacker's command-and-control (C&C) server, including intercepting all calls and messages of the Android device, snooping on all banking applications and GPS tracking.
"A cybercriminal operating GMBot can also lock the phone's screen and delay the victim's ability to access the device. This is part of the tactics used by fraudsters when they plan to intercept two-factor authorisation codes sent from the bank and want to prevent the victim from questioning the SMS," added Kessem.
Going deeper underground
Information and intelligence sharing are commonplace in the security industry and it should be little surprise that cybercriminals have effectively mirrored this technique. "We often hear about cybercriminals sharing information and collaborating in underground boards," said Kessem, who then explained the leak was likely due to someone looking to build credibility on the dark web.
Yet while the information is in the wild, Kessem notes that the data would be unlikely to be of use to a pure novice. "The leaked malware and control panel source codes would not mean much to the non-technical, inexperienced fraudster readers who never compiled malicious code on their own," she explained. "The post's author is addressing cybercriminals who either actively use banking Trojans or understand Trojan-facilitated online banking fraud."
Yet, as we know from the sheer amount of breaches over the last 12 months, from TalkTalk to Target, there are plenty of capable people lurking on the dark web.