Several months ago, while monitoring Russian underground forums, we came across a new malware designed to attack Android smartphones via a social engineering vector, luring victims into providing their banking data, as well as credit card details to the attackers.
The malware is dubbed GM BOT, and it has been offered for rent since October 2014 on a Russian underground forum dealing with malware development and sales. The price was $4,000 for one month, and this later dropped to $2,000. In January 2015, the renter of the GM BOT posted about deploying the malware on Australian botnet, including screenshots of banking details from Australian banks.
Later, in February 2015, the renter posted examples of Man-in-the-Middle (MitM) attacks that can be carried out by his malware, two of them presenting fake login pages to Australian banks.
GM BOT Capabilities
The first version of the malware was released on October 29, 2014 and according to the thread, it is designed to collect banking and credit card details. The data collection from the infected devices is performed via a social engineering vector, when fake pages are presented to victims. The tool works in different ways:
- Collection of VBV data by using a fake Google Play application (Luhn algorithm is used for validation).
- Scanning the mobile phone for installed banking services, and presenting dialog boxes for filling in confidential data.
- Checking for email and social media accounts linked to the phone (Gmail, Facebook, Twitter, etc.) and presenting dialog boxes for filling in confidential data.
In addition, the malware is capable of incoming SMS message interception and blocking (to avoid alerts from the bank from reaching the victim), as well as incoming call redirection, GPS data monitoring and more. The malware received highly positive feedback from other forum members, as suitable for cybercrime activity.
Initially, the thread’s author specified that the bot would be rented to five clients – Russian speakers only. On November 3, 2014, the renter announced that all the five clients had been found, and that the ad was no longer relevant. However, one month later, on December 2, he posted about updates of GM BOT capabilities, saying that he is looking for more clients. The new version of the bot enables its operator to create JS or HTML dialog boxes that are presented to the victim, thus expanding the number of accounts whose credentials can be achieved.
The Australian Link
On January 13, 2015, the author posted again. This time the post included screenshots showing the results of GM BOT activity. According to the post, 165 users in Australia were infected on January 10. 68 of these were communicating back with the C&C infrastructure at the moment of the post. Screenshots of the collected data were attached.
On February 12, 2015, another post regarding GM BOT was uploaded by the author, focusing on its MitM attacks capabilities. According to this post, the bot can inject JS or HTML code into running application, thus showing the user fake pages for drawing out data.
It should be mentioned that the malware distribution method is not included in the rented product. This means that the attacker who purchases the malware delivers it to the victims by a method of his choosing, spam emails for instance.