Screen overlay Android malware is on the rise

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

As predicted, the ability to lay screens over legitimate (e.g. banking) apps is becoming a crucial feature for the success of Android malware.

The capability was first seen in the GM Bot malware, first offered for sale in late 2014 in the Russian-speaking cybercrime underground. It’s source code has been leaked on the same markets, apparently by someone who bought the malware, but its original author released a new version in March 2016 – and tripled its price to $15,000.

Other malware authors wisely noted that not everyone could afford such a high price, and created cheaper alternatives: the KNL Bot, the Bilal Bot, and the Cron Bot.

Apart from the screen overlay capability, KNL Bot can apparently also intercept and send text messages, make and forward calls, turn off the phone’s sound, vibration and screen, be operated via SMS and via commands sent from a C&C server, and persist on the device. The price? Half of what the GM Bot’s lower-end package goes for.

Bilal Bot is even cheaper – around $3,000. It’s also less advanced, but offers customized overlay packages and its author claims that the buyers will be able to edit and enable overlay screens from the control panel, and push them directly to the infected device. But, according to IBM Trusteer cyber intelligence expert Limor Kessem, that particular functionality has still not been seen exploited in the wild.

The Cron Bot is the latest offering on the market, and at the moment is only offered under the malware-as-a-service model.

“The Cron Bot kit is sold in several pieces: the executable file ($4,000 per month), the APK ($4,000 per month) or a combination of both ($6,000 per month), with or without encryption services and hosting from the vendor ($7,000 per month for the entire package),” Kessem shared.

Despite the considerably lower price (when compared to GM Bot), it claims to offer a wide variety of options that resemble those of PC Trojans, including various modules (loader, keylogger, stealer, etc.) and a polymorphic builder.

“The rising supply of different offerings, including low-cost alternatives, may be in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have become the domain of organized crime groups,” Kessem posits. “Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation.”

She believes that a combination of user awareness and mobile app security is key to protecting customers from mobile malware.