Android users are being warned to expect a spike in malware attacks after the source code of a highly customisable and adaptable exploit kit known as GMBot was leaked to the dark web. Uncovered by security researchers at IBM, the leaked code, its control panel and even an instruction manual have now started to spread online – meaning anyone can become a mobile malware kingpin with ease.
GMBot is a mobile malware that emerged in late-2014 in the Russian cyber-underground. Despite going under a slew of aliases – including SlemBunk, Bankosy, Acecard and Slempo and MazarBot – the malware is notorious in criminal circles as being an extremely effective banking Trojan and spyware tool. Indeed, the researchers at IBM have branded it a 'one-stop shop' for Android attacks.
The software is known for its ability to run 'overlay screens' on top of applications in order to trick users into entering their usernames and passwords, which are then sent to the hacker's remote server. Now GMBot, IBM warns, is open for anyone to recompile the code, create new variants and use the leaked sources to build, sell or deploy this malware for fraud scenarios – all for as little as $500 (£353).
"The exposure of GMBot's code is comparable to the source code leaks of PC Trojans that include Zeus, SpyEye, Carberp and others," explained Limor Kessem, cyber intelligence expert at IBM.
"While GMBot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game-changer in the realm of mobile threats. Its source code leak, similar to the Zeus leak, is likely to give rise to many variations of this sort of malware."
The capabilities of GM Bot
Indeed, it was recently revealed that MazarBot, a variant of GMBot, was found to be actively attacking Android smartphones, giving attackers full administrative rights to monitor and control nearly every aspect of the device. The manipulative and persistent piece of malware takes hold via a malware-ridden SMS/MMS message that, once clicked, spreads a torrent of alarming exploits such as anonymously accessing the web, putting the phone into sleep mode and even fully erasing all content from the device.
Yet that's only one aspect of the malware. A spate of commands can be sent from a GMBot controller to the infected device directly from the attacker's command-and-control (C&C) server, including intercepting all calls and messages of the Android device, snooping on all banking applications and GPS tracking.
"A cybercriminal operating GMBot can also lock the phone's screen and delay the victim's ability to access the device. This is part of the tactics used by fraudsters when they plan to intercept two-factor authorisation codes sent from the bank and want to prevent the victim from questioning the SMS," added Kessem.
IBM researchers posted a section of the post from the underground forum, translated from Russian. It states:
"The majority of us have an online banking app on our phones. Imagine that your phone is now infected by malware. The attacker can now read content on your phone, but that is not enough. Now we have something that is just like injections! That's not the injections we're used to seeing, no. We're not interested in browsers..."
"So how do Android injections work? What's an app injection like? Nothing unusually difficult! Any injection looks like a perfect fake page, the goal of which is to obtain info from the unsuspecting victim - hence, a fake window that overlays on top of the main window and features the exact same design. The injection asks for the exact info that is required to access the online banking account and for transactions to be authorised."
Going deeper underground
Information and intelligence sharing are commonplace in the security industry and it should be little surprise that cybercriminals have effectively mirrored this technique. "We often hear about cybercriminals sharing information and collaborating in underground boards," said Kessem, who then explained the leak was likely due to someone looking to build credibility on the dark web.
Yet while the information is in the wild, Kessem notes that the data would be unlikely to be of use to a pure novice. "The leaked malware and control panel source codes would not mean much to the non-technical, inexperienced fraudster readers who never compiled malicious code on their own," she explained. "The post's author is addressing cybercriminals who either actively use banking Trojans or understand Trojan-facilitated online banking fraud."
Yet, as we know from the sheer amount of breaches over the last 12 months, from TalkTalk to Target, there are plenty of capable people lurking on the dark web.