BankBot created with leaked banking trojan source code
BankBot created with leaked banking trojan source code

One of the newer Android banking Trojans to be found in the wild is the result of leaked banking malware source code that was found and improved upon by cybercriminals.

Android.BankBot, which is now affecting Android mobile banking apps in Russia, was created when the source code of another unnamed banking software was found on the web, and then improved upon by cybercriminals, according to BleepingComputer, which cited the cybersecurity firm Dr. Web.

“A banking Trojan that targets Android devices. It is distributed under the guise of benign programs, e.g., Google programs with the Play Store icon,” Dr. Web wrote, adding that once downloaded it asks the victim to grant it administrative permissions and then deletes its icon from the display.

In all likelihood the BankBots' original source code was leaked and not intentionally released, said Jerome Segura, Malwarebytes lead malware intelligence analyst and while in this case the original code was improved upon that is not always the case.

“We have seen many similar leaks before, for example the Zeus banking Trojan, or SpyEye. Typically a competitor or a grey hat will choose to expose the code for various reasons. Having source code public is a bit of an issue because less skilled malware guys can simply copy/paste it and have a quality product very quickly, therefore creating more work for the community to defend against it,” Segura told SC Media.

However, Lamar Bailey, Tripwire's senior director of security R&D, said there could be a reason why the source code's developer decided to release it, to crowd-source improvements.

“Dumping malware code is great way to allow others to contribute to the code and modify it to help evade detection. This tactic was very successful for distributing Zeus.  When you have a larger group modifying the code, the number of variants increases rapidly, making it very hard for security products that rely on pattern matching to detect it,” he said.

Although BankBot is interested in stealing banking data is also attempts to mine the phone for other information.

Once on board it goes to work by checking the device for one of a long list of mobile Android applications and if found it connects with its command and control server. The next move is to asking for account login credentials, which is sent to the server. The malware will also look for bank card information that might be stored on sites like Facebook, WhatsApp, Google Play Store or Uber.

Other information mined is on the type of security software installed so it can be blocked. BankBots other form of self-protection is to block or divert incoming SMS texts from the bank that could be informing the victim that their device has been compromised.