The Android Banking Trojan GM Bot Is Rapidly Evolving

The famous Android Banking Trojan known as GM Bot has recently been updated and targets more than 50 banks worldwide. Keep on reading to learn more about it.

GM Bot Evolves

The Android banking Trojan GM Bot has been updated by criminal developers. A new variant has been observed in the wild that now targets more than 50 banks around the world. The infection counts for the last three months amount to over 200 000 instances.

Other names that GM Bot uses include Acecard, SlemBunk and Bankosy. The primary ways of stealing banking information from the compromised users is the creation of overlays on the various banking web sites. As the malware includes system access to the devices, they can efficiently place their window over the legitimate login elements and intercept the entered account credentials. As most mobile banking solutions use two-factor authentication, the malicious program can also intercept the PIN codes sent via SMS or other messages. This effectively gives the hackers complete access to the banking accounts of the victims.

The GM Bot’s code is open-source and can be easily acquired from hacking communities located on the Dark Web. This is probably one of the reasons why it is so popular among attackers.

It is distributed via an infected application downloadable from various third party app repositories. Most malware samples impersonate legitimate apps like the Google Play Service program, Facebook and others.

The first versions of GM Bot appeared on a Russian underground hacking community in 2014. Since then its source code has been leaked online and a second version appeared.

In many cases GM Bot poses as adult content apps or plugins like Adobe Flash. Upon installation of the payload holder, the app’s icon disappears from the device’s home screen. And then it starts execution. The app persistently requests administrative privileges from the user that can unleash a lot of damage.

When the app has been granted full administrative rights, the bot can control almost everything on the victim device. As discussed above it poses as legitimate login pages of various mobile banking solutions and can intercept all messages sent to the user.

The Gm Bot is designed to search for specific strings that contain account credentials and payment card information values such as the CVV, number, cardholder name and payment card number. All information is relayed to the remote malicious C&C servers operated by the computer criminals.

At the current moment the following banks are targeted:

USA and Canada

BNC

American Express

Chase

CIBC

Citi Bank

ClairMail

Coinbase

Credit Karma

Discover

goDough

First PREMIER bank

Bank of America

JPMorgan Chase

Skrill

Western Union

PayPal

PNC

SunTrust

TD Bank

TransferWise

Union Bank

USAA

U.S. Bank Access Online Mobile

Wells Fargo

Austria

BAWAG P.S.K.

easybank

ErsteBank/Sparkasse

Volksbank

Bank Austria

Raiffeisen

Australia

Bank West

ING Direct

National Australia Bank

Commonwealth Bank

Bank of South Australia

St. George Bank

Westpac

Germany

Deutsche Bank

ING DiBa

DKB

Sparkasse

Comdirect

Commerzbank

Consorsbank

Volksbank Raiffeisen

Postbank

Santander

France

ING Direct

Crédit Mutuel de Bretagne

Crédit Mutuel Sud Ouest

Boursorama Banque

Téléchargements

Caisse d’Epargne

CIC

Crédit Mutuel

La Banque Postale

Groupama

MACIF

Crédit du Nord

Axa

Banque Populaire

Crédit Agricole

LCL

Société Générale

BNP Paribas

Poland

Comarch

Getin Group

Citi Bank

Bank Pekao

Raiffeisen

BZWBK24

Eurobank

ING Bank

mbank

IKO

Bank Millennium

Turkey

Akbank Direkt

QNB Finansbank Cep Şubesi

Garant

İşCep

Halkbank

VakıfBank

Yapı ve Kredi Bankası

Ziraat

The open source nature of the malware means that new variants can be created at any time, adding new features and online banks.

How disturbing is this problem?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *