Security researchers would say that the Android threat landscape is wide enough already, however, they should be aware that it’s likely to get even wider. This may happen due to the fact that the source code for the GM Bot banking Trojan has leaked.
“The exposure of GM Bot’s code is comparable to the source code leaks of PC Trojans that include Zeus, SpyEye, Carberp and others. While GM Bot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game changer in the realm of mobile threats,” said Limor Kessem, a cyber intelligence expert at IBM Trusteer.
The GM Bot was first offered for sale in 2014, in the Russian-speaking cyber-crime underground. It was categorized as a game changer due to its capability to overlay customized screens on top of running banking applications.
After the users enter their login credentials into these screens instead of the apps, the credentials were forwarded to a server controlled by cyber crooks. Additionally, the GM Bot Banking Trojan can intercept SMS messages or phone calls, which is rather useful when banks communicate the second authentication factor to the user.
“Mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals,” Kessem stated.
Originally, GM Bot was sold on financial fraud-themed underground boards. Apparently, among the ones who bought it there was someone who decided to make the code available to the wider public, alongside a tutorial and installation instructions.
“The reasoning behind leaking the code appears to be one buyer’s personal desire to enhance credibility in the underground boards. To be considered more credible or up their rank, criminals usually have to give something back to the fraudster community they’re a part of; in this case, it was a tutorial explaining the use of mobile malware for online banking fraud,” explains Kessem.
“The fraudster that leaked the code threw in an encrypted archive file of the GM Bot malware source. He indicated he would give the password to the archive only to active forum members who approached him. Those who received the password in turn passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list.”
The leaked code appears to be for the first version of GM Bot, which the author has since “abandoned,” i.e. sold the rights to distribute to another hacker who’s asking for $500 for it.
Most probably, the creator of GM Bot is currently working on a new version of the malware, and he has already started selling it on the underground forums.