Android Malware About to Get Worse: GM Bot Source Code Leaked

IBM X-Force threat intelligence has found that the source code for Android malware GM Bot was leaked on an underground board in December 2015. The leaked code for the malware and its control panel have since been further propagated to different users, making this popular Android Trojan accessible to fraudsters for free, with a tutorial and server-side installation instructions to match.

GM Bot will be available to cybercriminals who can recompile the code, create new variants and use the leaked sources to build, sell or deploy this malware for fraud scenarios.

A Mobile Source Code Leak

How was this source code leaked? And why? In this particular case, it looks like the leak didn’t result from a dispute between criminals. Instead, it looks like it was the choice of one of GM Bot’s buyers. When it comes to cybercriminals selling malware in underground venues, black-hat vendors simply cannot control what their buyers may do with the malware once it is in their possession. As they say: Leaks happen!

The exposure of GM Bot’s code is comparable to the source code leaks of PC Trojans that include Zeus, SpyEye, Carberp and others. While GM Bot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game changer in the realm of mobile threats. Its source code leak, similar to the Zeus leak, is likely to give rise to many variations of this sort of malware.

The reasoning behind leaking the code appears to be one buyer’s personal desire to enhance credibility in the underground boards. To be considered more credible or up their rank, criminals usually have to give something back to the fraudster community they’re a part of; in this case, it was a tutorial explaining the use of mobile malware for online banking fraud.

The fraudster that leaked the code threw in an encrypted archive file of the GM Bot malware source. He indicated he would give the password to the archive only to active forum members who approached him. Those who received the password in turn passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list.

Where does that leave GM Bot’s creator? The original vendor already sold the rights to distribute what’s considered GM Bot v1 to another cybercriminal that peddles it in the underground for $500. That version is called MazarBot, and it is just as popular among cybercriminals.

According to X-Force threat intelligence, the code’s author moved on to working on a new version dubbed GM Bot v2.0, which is sold in financial fraud-themed underground boards.

Read the rest of this post here: https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/