Android GM Bot malware bot source code leaked online

Not only is the Android Trojan's code now available to cyberattackers for free, but they have also been gifted with a tutorial and instruction manual to infect vulnerable devices.
Written by Charlie Osborne, Contributing Writer

Source code belonging to the popular GM Bot malware for Android devices has been leaked online, researchers say.

Last week, IBM X-Force threat intelligence researchers said source code belonging to the mobile malware was leaked on an "underground board" -- likely within the Dark Web -- in December last year.

In a blog post, Limor Kessem, a cyber intelligence expert from IBM's Trusteer group, said this source code not only means cyberattackers have access to this code without paying any types of purchase or subscription fees, but to make matters worse, the code also came with a tutorial and server-side instruction manual.

Cyberattackers develop their own code in some cases, but often, malware packages and exploit kits can be bought online for a one-time fee or time-based subscriptions, which also gives users access to updates to stay ahead of antivirus firms and additional features.

However, now the Trojan's code is out in the wild, this code can be refined, evolved and exploited on a wider scale -- especially as instructions for the mobile malware's use are also readily available.

Emerging in 2014, the Russia-based GM Bot Android malware is a Trojan which aims to dupe victims into handing over their online bank credentials by placing fraudulent windows on top of banking applications.

If a victim falls for the fraud, they enter their credentials which are then sent to the malware's operators who can use this to siphon cash from accounts. Not only this, but GM Bot can also intercept SMS messages sent to an infected mobile device and both eavesdrop and pull this data.

The spyware can also remotely control infected devices.

Within the malware's administration panel, the researchers found options to search databases for victim data, as well as features which allow operators to create and deploy fresh injections and scripts on infected mobile devices.

The research team says the source code leak wasn't likely caused by a dispute between cybercriminals, but instead, "was the choice of one of GM Bot's buyers." In this case, the buyer was potentially looking to boost their reputation in the underground criminal community by offering a tutorial on mobile banking malware complete with the source code.

While the intended leak was only meant to include forum members who approached the buyer directly, the password to an archive containing the source code was then passed on to others.

This isn't necessarily a scenario which will annoy GM Bot's original creator as they sold the rights to the code to another cybercriminal which now peddles the system for $500 a go, packaged as MazarBot. While this version may now be considered useless financially, the vendor is now working on a new version, dubbed GM Bot 2.0, which is also being sold in underground forums.

The researchers commented:

"The exposure of GM Bot's code is comparable to the source code leaks of PC Trojans that include Zeus, SpyEye, Carberp and others. While GM Bot may not be as prolific as the major banking Trojans mentioned here, it is definitely a game changer in the realm of mobile threats.

Its source code leak, similar to the Zeus leak, is likely to give rise to many variations of this sort of malware."

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards