Source code of “game changer” Android banking malware leaked online

If you ask users and malware analysts, the Android threat landscape is wide enough, but unfortunately it’s likely to get even wider as source code for the GM Bot banking Trojan has been leaked on an underground board in December 2015.

“The exposure of GM Bot’s code is comparable to the source code leaks of PC Trojans that include Zeus, SpyEye, Carberp and others. While GM Bot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game changer in the realm of mobile threats,” Limor Kessem, a cyber intelligence expert at IBM Trusteer, explains.

Android banking malware

GM Bot, first offered for sale in late 2014 in the Russian-speaking cybercrime underground, was a game changer because it offered the capability to overlay (customized) screens on top of running banking applications.

Users would enter their login credentials into these screens instead of the apps, and the credentials were forwarded to a server controlled by cyber crooks. The Trojan can also intercept SMS messages or phone calls, which comes in hand when banks communicate the second authentication factor to the user (usually a code).

“Mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals,” Kessem points out.

And if you believe that this is the first time you’re hearing about this Trojan, you’re likely wrong. Have you heard about SlemBunk? How about Bankosy? Acecard? Slempo (aka Torec)?

According to researchers, it’s all the same Trojan, as the actual code base is the same.

GM Bot was initially sold on financial fraud-themed underground boards. Among the ones who bought it there was obviously someone who decided to make the code available to the wider public, along with a tutorial and installation instructions.

“The reasoning behind leaking the code appears to be one buyer’s personal desire to enhance credibility in the underground boards. To be considered more credible or up their rank, criminals usually have to give something back to the fraudster community they’re a part of; in this case, it was a tutorial explaining the use of mobile malware for online banking fraud,” says Kessem.

“The fraudster that leaked the code threw in an encrypted archive file of the GM Bot malware source. He indicated he would give the password to the archive only to active forum members who approached him. Those who received the password in turn passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list.”

This leaked code is for the first version of GM Bot, which the author has since “abandoned,” i.e. sold the rights to distribute to another cybercriminal who’s asking for $500 for it.

Allegedly, GM Bot’s author is working on a new version of the malware, and has already started selling it on underground forums.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.