Mobile Malware Competition Rises in Underground Markets

The mobile malware marketplace has been bustling with activity in the past few months. Mobile malware is becoming a central part of underground dealings and an important fraud frontier that’s growing in size and sophistication.

A scan of recent events linked with mobile malware includes the GM Bot code leak, reported by IBM X-Force research in February, and the subsequent release of a new version of GM Bot in March 2016. With this later release, the GM Bot author tripled the price of the overlay malware from $5,000 to $15,000. By April, IBM X-Force researchers noticed that GM Bot’s vendor, who goes by the alias GanjaMan, got banned in the top underground markets due to a dispute with a customer.

GM Bot is one of the longest-standing overlay malware offerings in the Russian-speaking underground, but it is considered rather expensive. Meanwhile, other developers and malware vendors recognize the profit opportunity in the Android malware market, creating competition in the form of lower-cost alternatives on one hand and more sophisticated offerings on the other.

Three alternative offerings actively being sold in underground boards include Bilal Bot, Cron Bot and KNL Bot. These malicious codes are being peddled by their authors for prices ranging from $3,000 to $6,000. While they may not possess the same feature variety as GM Bot, all three claim to have the overlay screen capabilities and data theft ability, according to their vendors.

KNL Bot on the Rise

The KNL Bot offering is the most similar to GM Bot judging by its supposed feature list, yet its price point is about half that of GM Bot’s lower-end package. This bot has been around for at least as long as GM Bot has. Its developers are selling the malware with a botnet control panel.

They also highlight the malware’s potential monetization options: KNL Bot claims to allow remote attackers to gain control over the infected device, enabling them to obtain online banking credentials and payment card data. The figure below shows the translated KNL Bot forum post.

Read the rest of this post here.