The famous Android Banking Trojan known as GM Bot has recently been updated and targets more than 50 banks worldwide. Keep on reading to learn more about it.
GM Bot Evolves
The Android banking Trojan GM Bot has been updated by criminal developers. A new variant has been observed in the wild that now targets more than 50 banks around the world. The infection counts for the last three months amount to over 200 000 instances.
Other names that GM Bot uses include Acecard, SlemBunk and Bankosy. The primary ways of stealing banking information from the compromised users is the creation of overlays on the various banking web sites. As the malware includes system access to the devices, they can efficiently place their window over the legitimate login elements and intercept the entered account credentials. As most mobile banking solutions use two-factor authentication, the malicious program can also intercept the PIN codes sent via SMS or other messages. This effectively gives the hackers complete access to the banking accounts of the victims.
The GM Bot’s code is open-source and can be easily acquired from hacking communities located on the Dark Web. This is probably one of the reasons why it is so popular among attackers.
It is distributed via an infected application downloadable from various third party app repositories. Most malware samples impersonate legitimate apps like the Google Play Service program, Facebook and others.
The first versions of GM Bot appeared on a Russian underground hacking community in 2014. Since then its source code has been leaked online and a second version appeared.
In many cases GM Bot poses as adult content apps or plugins like Adobe Flash. Upon installation of the payload holder, the app’s icon disappears from the device’s home screen. And then it starts execution. The app persistently requests administrative privileges from the user that can unleash a lot of damage.
When the app has been granted full administrative rights, the bot can control almost everything on the victim device. As discussed above it poses as legitimate login pages of various mobile banking solutions and can intercept all messages sent to the user.
The Gm Bot is designed to search for specific strings that contain account credentials and payment card information values such as the CVV, number, cardholder name and payment card number. All information is relayed to the remote malicious C&C servers operated by the computer criminals.
At the current moment the following banks are targeted:
USA and Canada
First PREMIER bank
Bank of America
U.S. Bank Access Online Mobile
National Australia Bank
Bank of South Australia
St. George Bank
Crédit Mutuel de Bretagne
Crédit Mutuel Sud Ouest
La Banque Postale
Crédit du Nord
QNB Finansbank Cep Şubesi
Yapı ve Kredi Bankası
The open source nature of the malware means that new variants can be created at any time, adding new features and online banks.