The Source of All Major Android Banking Trojans Just Got Updated To V2

An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only $5,000 on underground hacking forums. Taking advantage of his new found glory, the coder behind that malware has now released a second version, three times the price of the first, complete with 3 exploits that can guarantee root access on older versions of Android (which are plenty thanks to [ignorant] OEMs and carriers). Some of the malware that originated from GM Bot includes: SimpleLocker (first crypto-ransomware for Android), AceCard (considered the most sophisticated Android malware to date), Bankosy and SlemBunk (banking trojan and backdoor), and Mazar Bot (banking trojan, backdoor and ransomware). To make things worse, GM Bot v1's source code also got leaked online, making it available to any halfwit developer that wants a crack at a cybercrime career.

Thank God I use Firefox OS!

When I hear news like this, I'm very thankful that I use Firefox OS. I don't think anyone has written any apps of any kind for it. My phone can't be attacked by malicious software that doesn't exist.

How can I update?

[110010001000]

How can I grab the latest version? I tried Sourceforge, but didn't see anything available. Please help!

Re:How can I update?

[softnewsit]

Update what? Android?

Criminals gonna crime.

[ErikTheRed]

I don't really get the outrage at this. Criminals are going to commit crimes. I think the outrage would be better directed at Google for promulgating a "security-last" OS to manufacturers who, for the most part, can't be bothered with updates after a few months. When you suck at security almost infinitely more than Microsoft, that's saying something...

Re:Criminals gonna crime.

"security last" except when it comes to the customer, then it's "complete lockdown first and foremost", where if you sidestep that you've waved bye-bye to your warranty and manufacturer support. Probably also putting yourself on a list of people handed off to Google's double secret NSA side council that guarantees you will have trojans on your phone.

Re:Criminals gonna crime.

[aaarrrgggh]

I think you are stating the obvious there... this is one of the fundamental flaws of the Android ecosystem.

Are we going to have to start being nutjob-paranoid and placing a dedicated browser in a virtual machine with only a single trusted certificate and using a pin-protected RSA key for every transaction?

I almost want a dumb phone and a Filofax now.

Re:Criminals gonna crime.

[DontHackMeBro]

You probably should use a dumb phone and a fax machine since we are stripping away our privacy so that foreign criminals can sniff all of our online activity.

Re:Criminals gonna crime.

[Locke2005]

Hardware vendors and cell companies have zero incentive to continue to support phones they are no longer selling. Why would you even expect them to keep shipping updates for them? Yes, Google bears some of the blame for setting up the Android ecosystem this way, instead of obligating some entity with the responsibility to continue support.

Re:Criminals gonna crime.

Well, you still can get the original Moto Razr. I was quite fond of the thing until my wife ran it through the wash.

On the other hand, there is nothing that *forces* you to do online banking with your smartphone. I have a smartphone now, and I never use those things.

Re:Criminals gonna crime.

Easy to make fun of MS, but they did build their own OS more or less from the ground up without copying UNIX and ultimately that diversity is a good thing. Part of why Linux and UNIX can remain so secure is because Windows exists for the mainstream user who would want far more app selection than those platforms offer.

If Linux had the user base and developer base it would likely be exploited at least more often than OSX.

So.. with all those users and having made their own OS.. there is no real metric to judge MS security with. There is no other OS that compares in the amount of users out there and sorry but Android and Chrome.. those are toy OS's. They aren't anywhere near ready for primetime and any fool knows that just by using them. The blind demand for gadgets is the real driving force. A lot of people waste a lot of money to own smartphones and only use them for a tiny fraction of what they can do.. it's often a very bad investment.

A desktop or laptop on the other hand is a basic core tool that all business need. A smartphone is really not mandatory in almost any line of work, it's just convenient, but often it's little more than a phone that gets email.. most other features are entertainment based or silly.. liking creating documents on your phone .
OEM's are not the blame.. Google and Android developers are. Google made this platform to make advertising revenue, they don't care about security, they care about mining as much info from you as they can. That's why most of their apps are half finished crap.. they only need the apps to win over and keep users whom they will then mine for life. Google Docs.. Gmail.. they are very much simplistic and half finished apps. There is no reason all these years later gmail formating, font, text styles and so on would still be so immature.

Compare to a well crafted email made in something like Outlook. an email created in Gmail can often have a clearly less professional look. It's just a simple lack of good built in word processing tools. Everyone loves google, but a lot of their services actually suck or fail because they don't follow through and Android really isn't that much different on that front.

For it's rather short time in development and potential I'd love to see Windows 10 Mobile become a real option, because I'd jump off Android in a second and I avoid Apple products as much as possible because of their closed and greedy business model. I hate google's music player, their doc programs, their android based gmail app. It's not that iOS or MS are that much better.. it's just that Google has no excuse to be making so much money and letting the core OS continue to suck to much. Google Now is useful, but it's going to wind up being the least liked of the three virtual assistants because Google is too dumb to realize that people actually like the voice personality concept... why? I dunno. Siri did well. Cortana is doing well. Google Now or whatever you want to call Google's voice commands is to a large degree ignored by users because Google won't brand it in a way that interests them and helps them use it.

Goes google not see voice control as the future? Even Amazon has moved ahead of them. Google's model sucks.. letting third party developers control the direction of the platform has made millions of people hate anything Android. Google has to make ALL those core apps to provide a consistent experience because nobody wants to learn a new OS or UI each time they get a phone. The reason OEM software is there is because Google has not provided obvious features that people want and often those feature require little coding so the phone maker does it and of course that fractures coding time and creates tons of crappy app and basically makes the whole Android platform unreliable and inconsistent.

Once MS has a strong market people are going to prefer the simplicity of a standardized interface across all phones as well as all the built in syncing without third party apps. Google has no real desktop OS, so they can't compete there.

Re:Criminals gonna crime.

The question is what exactly is MS's new profit model since they aren't forcing us to get a 'new' OS anymore.

Cloud (Azure) and hosted services. That's the next really big thing and a real bright spot in recent quarterly revenue reports from Microsoft. Not a lot of people outside of developers really know this yet, but Microsoft is very well positioned for the cloud computing future. They probably have a better position than Google in that market and are well positioned to take on Amazon in a knock down drag out cloud battle lasting a decade or more. Google has their own services, but they aren't as good about offering hosted computing to outsiders who want to build their own platforms and pay to have Google host them. Amazon and Microsoft are the real players in this hosted cloud computing market right now and that will be the next big tech battle in the years to come.

Re:Criminals gonna crime.

[wardrich86]

It's not "Security last" it's "Let's treat users like they're not fucking idiots." In order for this malware to infect your phone, you'll have to download an APK from a shoddy site, enable 3rd party package installations, and completely disregard the warning message.

When is Google going to wake up?

And give Android two things:

1) The Linux Netfilter firewall as standard (not requiring rooting first) plus all the necessary user-level power tools as well as simple user-friendly apps to control it.

2) User-control of app permissions post-install , not just the choice of "either don't install an app, or else install it and grant every permission that its developer requests for as long as it's installed". This idiotic design is a travesty of insecurity and anti-privacy, and Google should be ashamed of themselves for it.

The non-technical Android user today (who can't be expected to root their device) is virtually powerless, and ripe for harvesting by organized crime --- they must love Google's Android team, the crime enablers.

Re:When is Google going to wake up?

[110010001000]

They will never wake up. They are too busy sleeping on their piles of cash.

Re:When is Google going to wake up?

[sumdumass]

Netfilter might be too powerful for the majority of users. They would likely lock themselves down and eventually turn it off.

As for permissions, I cannot agree more. Let the app stop working when the permissions are denied but let me change them. There are a few apps i use rarely enough that currently I uninstall between uses. If I could enable or disable permission i could just keep them on the phone. There are also some apps like the one for my blood pressure monitor that i refuse to install because it wants access to my call log, contacts, photos, and something else i cannot figure out why. I even contacted the manufacturer (omron) asking them to explain why but got no response.

Re:When is Google going to wake up?

[Geeky]

The permissions thing came in with Android M. It's a pain for apps not specifically compiled for it though, because every time you update the apps you have to grant them all the permissions they want and then go and remove them again. But the feature is now there. If your phone vendor/carrier has given you M of course.

Re:When is Google going to wake up?

The permissions thing came in with Android M. It's a pain for apps not specifically compiled for it though

This is just more Android team incompetence.

An app should have no business knowing whether permissions have been granted or denied to it, but should merely work in the expectation that it has them. The data it wants could even have been manufactured by the user uniquely for this app, and it's no business of the app's to know about such a user choice.

It's private information whether permissions have been granted or denied to an app. The app should merely do its best with the data it has been given, or fail if it can't proceed.

On a device owned by a user, the user calls the shots, period. Google doesn't understand this, probably deliberately.

Re:When is Google going to wake up?

Netfilter might be too powerful for the majority of users. They would likely lock themselves down and eventually turn it off.

The raw power of Netfilter would be for power users only, configured with the help of a flexible graphic app (similar to the firewall screens provided in commodity routers), plus script files to package up iptables commands for those who want that level of control.

You're quite right that ordinary Android mortals would not benefit from anything that complex, but for them Google could provide a much simpler app which controls Netfilter behind the scenes with pre-packaged firewall options. The majority would probably be entirely happy with firewall controls as simple as:

- "Basic Internet firewall" - ON/OFF
- "Strong Internet firewall" - ON/OFF
- "Master Internet access" - ON/OFF

(Or some variation of that idea, maybe with added Wifi and Wired LAN options too. In other words, something very simple that all users could comprehend and which would provide little opportunity for problems to develop.)

And if Google really wished to help users regain control over their own devices, they could detect outgoing connections from apps phoning home and provide graphic firewall controls over those connections, per app . It's not rocket science.

Re:When is Google going to wake up?

[Anonymuous+Coward]

There are also some apps like the one for my blood pressure monitor that i refuse to install because it wants access to my call log

Try downloading the apk, unpack it with apktool, strip those permissions from AndroidManifest.xml, pack it back and then install it via adb.

In fact, the baksmali 'assembly' format is very readable and easy to understand; you can study and modify the java part of an app almost as if you had the source code.

fail++

1. Who is dumb enough to do banking on something so insecure as a mobile phone? It's a seive.
2. Since people are dumb enough to do something so critical and private as banking on their phone, doesn't this bolster Apple's argument against the FBI?

Re:fail++

[AC-x]

Who is dumb enough to do banking on something so insecure as a desktop browser? It's a seive.

Re:fail++

[aaarrrgggh]

Yup... It used to be that the smartphone was more secure without Java, Flash, Acrobat, and a "trusted" cellular internet connection.

Kids used to walk to school alone too!

Not sure how much is perception and how much is a real problem in either case.

How exactly is it

[subk]

that this ends up on a user's phone? I'm assuming it's not through the Play Store and the user was visiting Russian donkey porn sites?

Re:How exactly is it

Yeah. I've read my share of Android malware reports. Porn sites are the main source. Usually disguising it as an Android-port of Flash Player so they can see those "spectacular" porn movies

Re:How exactly is it

[campuscodi]

Yea, porn sites. But people also use third-party stores to download games and apps that are clones of commercial games and apps on the Google Play Store.... you know... "pirates." For once, piracy doesn't pay, at least for Android.

Re:How exactly is it

[DontHackMeBro]

Most likely Russians loading shitware onto the Play store.

Re:How exactly is it

[is7s]

yeah, most of these reports say it's russian-based

Question about the code

Is the code commented? If not then it will not pass code review.

GM Bot v1 source code

So who has a link? I couldn't care less about the banking aspect, but I'm interested in seeing how the root exploits work.

Re:GM Bot v1 source code

[campuscodi]

IBM's X-Force team discovered it, but they never shared the link of the hacking forum where it was shared among users (for free). They've probably provided copies to other security vendors, since FireEye also put out its own report, but I don't think they're ever make that source/link public. This is not the thing you usually share.

What kind of money would GanjaMan make on this?

[mykepredko]

I'm simply curious (not because I want to get into the business) as $15k plus $2k per month (or $8k plus $1.2k per month for the exploitless version) is not chicken feed.

Are there that many "halfwit developers" out there that are willing to make this a viable option? Or, is this a case of the developer selling the malware to (would be) criminals, to make money on the work but minimize the risk?

I'd be interested in seeing the contract in the case of the customer being caught and going to jail.

"halfwit"

[Art+Challenor]

any halfwit developer that wants a crack at a cybercrime career

I don't know where on the developer scale "halfwit" falls, but, in my experience the median programmer is fairly incompetent, and half of them are less talented than this - including the ones who can't copy/paste/modify stackoverflow examples and end up with working code.

Without even looking at the codebase, I would expect that anyone capable of understanding the code and modifying it enough to make something different is well above the median. In the wealthier nations I think that they could probably make more money legally than they make illegally (even though the business looks pretty good).

Foreign Hackers

[DontHackMeBro]

Are going to start WW3.

Re:Foreign Hackers

[tlambert]

Are going to start WW3.

And this is a damn shame! Has no one any pride left in their work in this country?!? It should be AMERICAN hackers who start WW3! GO USA!

Who is ignorant? Customers.

"[ignorant] OEMs and carriers" ... You mean Customers. People who go buy a phone are sold exactly what the carrier gets the most money from, which happens to be the junk-tier Android phones.

That doesn't mean OEM's and Carriers aren't playing a role in this, but that their greed is what is destroying Android as a platform. It's not easy to replace a phone's OS like it is a PC. Most devices that are not a PC are bricked if you screw it up. Do you really expect people to instal Cyanogenmod? No... they will just keep using their phone until the battery no longer charges or the screw is cracked. Then the cycle will be perpetuated where they go back to the Carrier and get another "free" phone.

The ideal resolution is that Carriers block "infected/infectable" devices by IMEI number, the customers are forced to go to the store to have the firmware updated, and if the device is too old (most are) they are forced to make a decision of either replacing the phone or joining a class action lawsuit against Google/Carrier/Manufacturer. Really, this would light a fire under carriers/manufacturer's collective asses.

Couldn't find it on the App Store, either...Weird.

[Brannon]

Sent from my iPhone

"thanks to [ignorant] OEMs and carriers"

[tlambert]

"thanks to [ignorant] OEMs and carriers"

That's an incorrect position.

For the OEMs, they take a snapshot of the Android development tree at some stable point, and then they put in a hell of a lot of work to productize it for a given specific platform. And then they don't touch it, ever again. Each new phone is a new port, and each update to the OS on a phone would also be a new port.

Maintaining version updates on an ongoing basis is not possible with this development model, and having Google do the productization is not desirable to the carriers (who want a branded experience and a captive application store portal), nor Google (which is temperamentally incapable of productization, and does not want to assume update liability for Android phone, in the first place).

The carriers are the major beneficiaries, since if you what to add 0.0.1 to your version number (I still can not understand that desire, but people also buy Corvettes, and they buy German cars with interference engines where if the timing belt/chain breaks, it utter destroys the entire engine ... so go figure), that thousandths of an increment inversion number means you will be re-upping your contract for another 2 years (effectively, 18 months).

So the carriers have no incentive to distribute updates, the manufacturers have no incentive to change their process, since the majority of their sales are through carriers, and the carriers aren't going to take a consignment of last years phones. And Google isn't involved in the productization, because the OEMs don't want the code specific to their device showing up in the Android tree before it's released (which would disclose product plans) or frankly showing up at all (which would allow a competitor to use the same chips in their device, and not pay the development costs that the original OEM had to pay, allowing them to undercut their pricing for exactly the same product).

Google: Good money spent to no effect
OEMS: Good money after bad, aiding competitors
Carriers: Good money after bad, update error liability, inability to lock you into a new contract to get you +0.0.1 fix

How again is this ignorant? It seems to be highly educated on the economics of the situation to me...

Can Android be forked?

Can Android be forked?
If so, why hasn't anyone with any reasonable ability and funds forked it and actually made it a good OS?

All it needs is literally a few minor changes and the entire thing would be secure as hell.
Google made it insecure by design for god knows what reason. It certainly offers nothing and most apps that aren't written by shitty developers work fine without half the permissions they request.

Add in an actual updating system that isn't SHIT and we are golden.