A sampling of GM Bot's social media overlays, designed to trick users into entering their payment card information. Image courtesy of Fortinet.
A sampling of GM Bot's social media overlays, designed to trick users into entering their payment card information. Image courtesy of Fortinet.

A recently discovered Android banking malware campaign targets 94 mobile banking apps used by individuals across at least seven countries including the U.S.

The malware, a new variation of GM Bot, disguises itself as a Adobe Flash Player program, according to a blog post today by cybersecurity firm Fortinet. But in reality, it creates fraudulent overlays that appear whenever a legitimate banking app is opened, tricking users into entering their log-in credentials so attackers can steal them. U.S. financial institutions and services targeted in this mobile scam include Citibank, Chase, Paypal, TD Bank and many others – but the scam also includes banks operating in Austria, Australia, France, Germany, Poland and Turkey.

The malware also targets various social media mobile apps by opening a malicious overlay page that asks for payment card information when these apps are opened. The affected apps include Calculator, Facebook, Facebook Messenger, the Google play store, Instagram, Skype, Snapchat, Twitter, Viber and Whatsapp.

Once launched, the malware, under the guise of the Google Play service, asks the user for myriad permissions that grant the malware administrator-level access to the device – thus allowing attackers to peruse your contacts, read your web bookmarks and history, modify or delete USB storage contents and more.

The malware also acquires the ability to reset factory settings – which can result in drastic data loss – and also control SMS messaging, which effectively nullifies two-factor authentication security measures, Fortinet warned. “This malware implements multiple malicious functionalities into a single app and takes full advantage of a successful infection,”the blog post reads.

Even if the request for admin rights is rejected, the malware will repeatedly display the request until the victim ultimately relents.

Fortinet security analyst and blog post author Kai Lu detected the malware sample on Oct. 21. “GM Bot's source code was leaked in late December 2015, so anyone can update it with new capabilities and distribute it,” said Lu, in an email interview with SC Media. The fake Flash app's method of distribution is not known at this time.

Upon installation, the malware also gathers information about its host device – including its IMEI number, ISO country code, Android OS version, device model, phone number and installed applications – and communicates it to a command-and-control server. Later, after the victim inputs his or her payment card details, the malware verifies if the card number is valid and sends that to the C&C server as well.

To uninstall the malware, Fortinet has advised device owners to disable admin rights and uninstall the fake Flash Player. If the malware's relentless use of overlays prevents victims from uninstalling the malware conventionally, they can instead access the Android Debug Bridge and use the command ‘adb uninstall [packagename]' to rid themselves of the program.