This huge Android trojan malware campaign was discovered after the gang behind it made basic security mistakes

Cyber attackers infected 800,000 users with banking information stealing malware – but mistakes have allowed researchers to look behind the scenes of a successful hacking campaign.
Written by Danny Palmer, Senior Writer

A giant botnet and banking trojan malware operation has infected hundreds of thousands of Android users since at least 2016 – but mistakes by the group have revealed details of the campaign and how they operate.

Dubbed the Geost botnet after a name repeatedly found in the attackers' command and control servers, the operation has been discovered by researchers from Czech Technical University, UNCUYO University in Argentina, and cybersecurity company Avast, who detailed their findings at the Virus Bulletin 2019 conference in London.

The campaign is believed to have infected up to 800,000 Android users and has potentially provided the attackers with access to bank accounts along with information about the names of victims, their type of phone and their location.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

But despite the apparent success of the campaign, the Geost attackers made some basic errors that have allowed researchers to monitor their whole operation, read chat logs and even identify two of the criminals behind the campaign.

Researchers uncovered the group when examining samples of HtBot, a form of malware that provides attackers with pseudo-anonymous communication to the internet. However, when using the illegal HtBot service, the attackers didn't encrypt their data, alerting researchers to their activity.

They found that the attackers were targeting customers of five banks located in Eastern Europe and Russia with malware.

The initial infection comes in the form of malicious apps – the attackers take legitimate apps from the Google Play store and edit the code to add malicious capabilities alongside the real functionality of the app before uploading it to third-party Android stores to be downloaded by users. The malicious apps are often weaponised versions of popular services, including games, banking and social-networking apps.

Once installed on a device, the malware monitored the text messages of the user and it was via this channel that attackers were able to gain access to bank accounts – because it's still common for Russian banks to send out plaintext passwords to users via SMS.

"90% of the passwords leaked are coming from the bank sending you your password," Sebastian Garcia, researcher at the Czech Technical University in Prague, told ZDNet. However, in cases where this wasn't possible, the malicious apps would ask for login credentials as a one-off.

"Sometimes they were doing pop-ups on the phone asking for credentials – once they have the credentials there's no interaction from the phone anymore," he added.

While the scheme appears to have been financially successful for the attackers, the way in which they've failed to cover their tracks has provided researchers with an insight to how the gang operates – and it often showed the hackers were unhappy with their work.

For example, Skype chat logs revealed how one member wanted to leave, but a leader encouraged them to stay on. "If we started together we need to finish it. Because for now this is working and we can earn money," read the message.

It's unclear why the document was left on a public-facing service, but it provided researchers with information about how the group went about their operations, transferred payments and built the malicious apps. The chat logs also revealed what appear to be the usernames of the two leaders of the Geost operation – names they use across other websites and something researchers say they're going to examine further.

SEE: Microsoft: New Nodersok malware has infected thousands of PCs

It's believed that the Geost group is still active and researchers will use their knowledge of the group to keep monitoring their activity – because despite the poor operational security of the attackers, they still have access to a huge network of infected Android devices.

"Sometimes people think the most efficient malware should be super-obfuscated, super-developed for years and years. Sometimes that's true, but in most cases it's very simple," said Anna Shirokova, security researcher at Avast.

"Most of the time you hear about something which is very simple because criminals use something which is available. They don't want to spend years developing – they don't have the money or resources for it. They just want to make money," she added.


Editorial standards