The famous Android Banking Trojan known as GM Bot has recently been updated and targets more than 50 banks worldwide. Keep on reading to learn more about it.
GM Bot Evolves
The Android banking Trojan GM Bot has been updated by criminal developers. A new variant has been observed in the wild that now targets more than 50 banks around the world. The infection counts for the last three months amount to over 200 000 instances.
Other names that GM Bot uses include Acecard, SlemBunk and Bankosy. The primary ways of stealing banking information from the compromised users is the creation of overlays on the various banking web sites. As the malware includes system access to the devices, they can efficiently place their window over the legitimate login elements and intercept the entered account credentials. As most mobile banking solutions use two-factor authentication, the malicious program can also intercept the PIN codes sent via SMS or other messages. This effectively gives the hackers complete access to the banking accounts of the victims.
The GM Bot’s code is open-source and can be easily acquired from hacking communities located on the Dark Web. This is probably one of the reasons why it is so popular among attackers.
It is distributed via an infected application downloadable from various third party app repositories. Most malware samples impersonate legitimate apps like the Google Play Service program, Facebook and others.
The first versions of GM Bot appeared on a Russian underground hacking community in 2014. Since then its source code has been leaked online and a second version appeared.
In many cases GM Bot poses as adult content apps or plugins like Adobe Flash. Upon installation of the payload holder, the app’s icon disappears from the device’s home screen. And then it starts execution. The app persistently requests administrative privileges from the user that can unleash a lot of damage.
When the app has been granted full administrative rights, the bot can control almost everything on the victim device. As discussed above it poses as legitimate login pages of various mobile banking solutions and can intercept all messages sent to the user.
The Gm Bot is designed to search for specific strings that contain account credentials and payment card information values such as the CVV, number, cardholder name and payment card number. All information is relayed to the remote malicious C&C servers operated by the computer criminals.
At the current moment the following banks are targeted:
USA and Canada
BNC
American Express
Chase
CIBC
Citi Bank
ClairMail
Coinbase
Credit Karma
Discover
goDough
First PREMIER bank
Bank of America
JPMorgan Chase
Skrill
Western Union
PayPal
PNC
SunTrust
TD Bank
TransferWise
Union Bank
USAA
U.S. Bank Access Online Mobile
Wells Fargo
Austria
BAWAG P.S.K.
easybank
ErsteBank/Sparkasse
Volksbank
Bank Austria
Raiffeisen
Australia
Bank West
ING Direct
National Australia Bank
Commonwealth Bank
Bank of South Australia
St. George Bank
Westpac
Germany
Deutsche Bank
ING DiBa
DKB
Sparkasse
Comdirect
Commerzbank
Consorsbank
Volksbank Raiffeisen
Postbank
Santander
France
ING Direct
Crédit Mutuel de Bretagne
Crédit Mutuel Sud Ouest
Boursorama Banque
Téléchargements
Caisse d’Epargne
CIC
Crédit Mutuel
La Banque Postale
Groupama
MACIF
Crédit du Nord
Axa
Banque Populaire
Crédit Agricole
LCL
Société Générale
BNP Paribas
Poland
Comarch
Getin Group
Citi Bank
Bank Pekao
Raiffeisen
BZWBK24
Eurobank
ING Bank
mbank
IKO
Bank Millennium
Turkey
Akbank Direkt
QNB Finansbank Cep Şubesi
Garant
İşCep
Halkbank
VakıfBank
Yapı ve Kredi Bankası
Ziraat
The open source nature of the malware means that new variants can be created at any time, adding new features and online banks.
