The banking Trojan family is known by several names; Security researchers from FireEye dubbed it SlemBunk, Symantec dubbed it Bankosy, and last week when Heimdal Security uncovered it, they dubbed it MazarBot.
All the above wave of Android banking Trojans originated from a common threat family, dubbed GM Bot, which IBM has been tracking since 2014.
GM Bot emerged on the Russian cybercrime underground forums, sold for $500 / €450, but it appears someone who bought the code leaked it on a forum in December 2015, the IBM X-Force team reported.
What is GM Bot and Why Should You Worry about it?
The recent version of GM Bot (dubbed MazarBOT) has the capability to display phishing pages on the top of mobile banking applications in an effort to trick Android users into handing over their financial credentials to the fraudsters.
Besides this, the banking trojan is also capable of forwarding phone calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.
Cyber criminals could also use the malware to:
- Spy on victims
- Delete data from the infected device
- Gain boot persistence to help survive device restart
- Send and Read your SMS message
- Make Calls to your contacts
- Read the phone's state
- Plague phone's control keys
- Infect your Chrome browser
- Change phone settings
- Force the phone into sleep mode
- Query the network status
- Access the Internet
- Wipe your device's storage (the most critical capabilities of the malware)
However, someone leaked the malware source code only to boost his/her reputation on an underground forum, according to the researchers.
GM Bot Android Malware Source Code for FREE
Yes, the source code for GM Bot and its control panel is now accessible to cybercriminals and fraudsters for FREE.
Here’s the Cherry on the Top:
Besides the source code, the leader also posted a tutorial and instructions for server-side installation, which means cybercriminals can create their own versions of the malware strain to conduct online banking frauds.
Though the archive file containing the source code and its control panel is password protected, the leader is offering the password only to active forum members who is approaching him.
"Those who received the password, in turn, passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list," IBM cyber security evangelist Limor Kessem wrote in a blog post.
Online users had started sharing the password to the archive among their friends, and in no time, the GM Bot source code was all over the hacking underground forums.
GM Bot is one of the most dangerous banking trojan in the Android ecosystem and after its source code gets leaked, users are recommended to beware while banking online.
How to Protect Yourself?
As I previously mentioned, online users are advised to follow these steps in order to protect themselves against this kind of threat:
- Never open attachments from unknown sources.
- Never click on links in SMS or MMS messages sent to your phone.
- Even if the email looks legit, go directly to the source website and verify any possible updates.
- Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
- Always keep an up-to-date Anti-virus app on your Android devices.
- Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.