There is a growing crop of mobile malware that is designed to overlay a user’s phone screen and harvest banking and other credentials, and the attackers behind these tools have thoughtfully created a range of options, from low-end to premium priced.
Researchers at IBM’s X-Force team have been tracking a variety of mobile malware samples in underground forums recently, most of which are offshoots or close cousins of the venerable GM Bot. The GM Bot malware has been around for more than 18 months now, and it has been used by cybercrime gangs to infect mobile devices and steal users’ banking data through the use of overlay screens. The malware detects when a victim is using a mobile banking app on an infected device and produces an overlay screen that mimics the banking app’s login screen.
The malware will then capture the victim’s banking credentials and send them to the attacker. GM Bot has been employing this technique for some time, and after the source code for that malware leaked online in February, other malware authors have adapted the technique for their own offerings. Like most mobile malware, these applications target Android devices, and while GM Bot can cost as much as $15,000, some of the others are much less expensive.
“Three alternative offerings actively being sold in underground boards include Bilal Bot, Cron Bot and KNL Bot. These malicious codes are being peddled by their authors for prices ranging from $3,000 to $6,000. While they may not possess the same feature variety as GM Bot, all three claim to have the overlay screen capabilities and data theft ability, according to their vendors,” Limor Kessem of IBM wrote in a post about the malware offerings.
KNL Bot has a wide range of capabilities besides stealing banking credentials. The malware can intercept incoming texts and send outgoing texts, a function that often is found in banking malware as a method for bypassing two-step verification. Banks will send verification codes via SMS to users for new logins or transactions, and malware that can intercept those messages is especially dangerous. KNL Bot also has a function that will lock the phone while the malware continues to run in the background.
The Bilal Bot malware is selling for about $3,000, Kessem said, and has some sophisticated overlay capabilities.
“Although this malware is supposedly still in testing mode, Bilal Bot promises to focus on fraud-enabling capabilities, namely overlay screens, SMS hijacking, call forwarding and customized overlay packages. It also will reportedly enable the botmaster to edit and enable overlay screens from the control panel, then send them to the infected bots (see below for its control panel, showing phishing overlay screen edit option). Those functions are yet to be seen in the wild,” Kessem said.
Cron Bot, by contrast, is designed more in the mold of desktop malware, giving attackers a variety of capabilities, such as SMS interception, cross-platform support, and a modular architecture. The bot is sold in several different pieces, including the executable and the Android package, and customers also can rent encryption services from the authors.
“The rising supply of different offerings, including low-cost alternatives, may be in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have become the domain of organized crime groups. Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation,” Kessem said.