Source code for an Android banking Trojan known as “GM Bot” has leaked online, say researchers at IBM X-Force . The leak, which was discovered on an “underground board” on the dark web, was published on December 15, 2015.
The hacker behind the leak has been giving cyber criminals free access to the Android banking Trojan without charging any kind of subscription fees to obtain it. Interested parties simply had to be active forum members to obtain a password, which unlocks the GM Bot archive. The archive contains both the source code for the GM bot and control panel as well as a tutorial on how to use the mobile malware for banking fraud.
According to X-Force researchers , GM Bot leaked source code can be used to attack victims in a variety of scenarios. The Android Trojan first made its appearance in 2014 in the Russian cybercrime underground and has been used frequently as a banking Trojan because of its unique characteristics. The GM Bot malware includes an overlay screen that can spread itself overtop a running banking application without victims’ knowledge. When victims enter their information into what they believe is a secure banking login screen, the overlay captures the information and forwards it to a remote attacker. The screen overlay can also be used for other kinds of secure logins to steal additional payment information like credit and debit card numbers.
But besides stealing banking credentials, the malware also has the ability to intercept SMS messages sent to the mobile devices and obtain the data inside those messages. The additional ability to target SMS message data allows the GM bot to defy two-factor authentication methods as often those methods send a text message code as the second factor in verifying the identity of the person logging in.
With the stolen login credentials and ability to weaken two-factor authentication, cybercriminals have everything they need to hack a users’ banking account and transfer money to other locations.
The malware also has the ability to forward calls to a remote attacker, and take control of functions on the device remotely. Basically, attackers can own the phone in every possible way without ever touching it.
In the past, many types of malware have been developed which could either steal login credentials or intercept SMS messages, but the evolution of malware like the GM bot that can do both turns it into what researchers call a “one-stop fraud shop for criminals.”
What makes the GM Bot source code leak particularly unsettling is the fact that the leaker is giving it away to cyber criminals for free and throwing in a tutorial for how to use it as well. According to X-Force researchers, the leakers purchased the malware from another vendor who sells it on the Dark Web for $500 a pop. The researchers believe the code and accompanying tutorial are being given away as a way for the cyber criminal to increase his street cred and up his/her rank in the community.
Though the leak puts the original creators of the GM Bot malware essentially out of business, X-Force researchers say the malware vendors don’t seem to be too concerned. The malware author has already reportedly begun working on a new version of the banking Trojan dubbed GM Bot v2.0.
How To Protect Against GM Bot Infection
As with many widespread attacks on mobile and desktop computers, following specific security measures can help avoid infection by malware. These include:
Never open attachments from unknown sources even if they look legit – phishing attacks are the number one way hackers are infecting victims’ devices. If you aren’t 100% sure what’s in an attachment, don’t open it.
Never click on links in SMS or MMS messages – it’s a really bad idea to click on a link sent through sms, email or anywhere else online even if it’s from someone you know. Attackers will often disguise attacks to look like messages from friends. Clicking on an unknown link can lead to instant drive-by pwning of your device.
Turn off “unknown sources” on you phone – you can do this by going to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
Always keep an up-to-date Anti-virus app on your Android devices - a several good anti-virus products can be found here .
Avoid unknown and unsecured Wi-Fi hotspots – it’s even a good idea to keep Wi-Fi turned OFF when you aren’t using it. Attacks via a shared and open network like in a coffee shop or library are an easy way for attackers to find victims.
Install patches or system updates as soon as they become available – many vendors are working hard to patch vulnerabilities as soon as they find them. The patches are only good if users actually install them though. Make sure to install updates as soon as they become available to keep your device most resilient to attack.