GM Bot: Alive and Upgraded, Now on Android M
IBM X-Force Research detected a recently updated
version of the GM Bot mobile banking malware designed to deploy on Android 6
operating systems and bypass new security applied to the platform. Android
officially released this Marshmallow OS, code-named M, in October 2015. The GM
Bot version we analyzed can work on all Android versions up to the Marshmallow
distribution.
This new finding is notable since GM Bot’s
developer was banned in underground boards where he used to sell the malware. A
competitor claimed that the original developer has stopped selling it. However,
it’s now obvious that GM Bot is still alive and continuously updated to
circumvent Android security. Attackers have been actively using the new version
in the wild.
GM Bot Continues to Evolve
Overlay Trojans, such as GM Bot and its
derivatives, are designed to superimpose fraudulent message windows on top of
banking and payment applications to phish credentials, credit card information
and other personally identifiable information (PII). GM Bot’s spyware features
also empower remote attackers to access transaction authorization codes sent
via short message service (SMS), view device information, intercept, forward or
initiate phone calls, or lock the device’s screen. Overlay malware is
ultimately a cybercriminal’s way to gather victims’ online banking credentials
and authentication factors all on one device.
In general terms, the overlay scheme works when
the malware can:
- Identify which app was opened by the user and which app is running in the foreground.
- Launch a matching fake app screen on top of the running app.
The first task is often achieved by abusing
Android getRunningTasks() application program interface (API). The option was
deprecated starting with the Android Lollipop release, thus temporarily hampering
the ability of overlay Trojans to figure out what the user is looking at.
Of course, cybercriminals operating Trojans of
this type are not going to wait to find the next fix. Malware developers tried
a variety of tricks to get past the new deprecation block, including:
- Getting the current foreground application via getRunningAppProcesses(), which was introduced and worked on Android 5.0 and 5.1 (Android L);
- Abusing the accessibility service to find out what’s running on the screen; and...
- In some cases, abusing the UsageStatsManager API.
GM Bot’s developer, known as GanjaMan, also found
a way to bypass the deprecation block and implemented it in the most recent
version of the malware. In this case, the developer did not go far into
programming genius. Rather, he used an open-source method documented on GitHub
and began implementing a process enumeration to find out which app was running
in the foreground — a good, heuristic way to figure it out.
This post was part of my work with IBM X-Force.
Read the complete post here.
Comments
Post a Comment