Thanks in no small part to the perpetrators' own sloppy operational security, researchers have uncovered a large Android banking trojan scheme that may have impacted hundreds of millions of Russians.
Dubbed Geost, the malware is distributed via a malicious cybercriminal botnet operation consisting of 13 command-and-control servers and more than 140 malicious domains, according to a paper issued today by a trio of researchers based in the Czech Republic: Sebastian Garcia of Czech Technical University in Prague; Maria Jose Erquiaga of UNCUYO University; and Anna Shirokova, security researcher at Avast Software.
Delivered via fake, malicious applications, Geost compromises Android devices so that attackers can remotely interact with the web services of five specific banks in Eastern Europe, potentially allowing them to steal funds. The researchers have not yet publicly identified the five banks. The report also alludes to a sixth victim, described as a publicly traded Russian electronic payment service provider.
The attackers can also gain access to a bevy of data pertaining to victims and their phones, and can even sort through users' SMS messages, including those legitimately sent by the banks.
The researchers have already linked more than 150 malicious APK files to the operation, which has been active since at least 2016.
One of the Geost's C&C servers was found to contain 1,452 pages of victim information, with 50 victims listed per page for an estimated total of 72,600 victims. On one sample page, the researchers observed a set of 50 victims who collectively possessed 1,129,152 rubles, or roughly 15,000 Euros, in their bank accounts. Aware of at least 12 additional Geost C&C servers, the researchers extrapolated the data to project that the cybercriminals behind this operation could have had access to many as 871,200 accounts, collectively holding about 240 million Euros in funds.
Through data exfiltration, the attackers have been able to collect sensitive intelligence such as phone brand, wireless service provider, phone number, IMEI number, Android version, whether or not a user had admin rights, the country the phone is based in and bank account balance history. Additional information gathered by eavesdropping on SMS messages can include the user's name and address, relationships, religion, purchases and expenses, and financial troubles, the report continues.
The researchers unearthed Geost while actually investigating an unrelated botnet malware known as HtBot, which turns victim machines into zombie proxies, through which cybercriminals can route their C&C communications, for a fee. As it turned out, the Geost actors opted to pay for this illegal proxy service, which the researchers say was not properly maintained.
That was the Geost cybercriminals' first operational security (OpSec) mistake, one of five key errors cited by the researchers.
"...The attackers had a flawed risk model when choosing the appropriate communication platform for hiding their tracks," the report states. "They picked up an illegal proxy network, not knowing that the network was being monitored by our laboratory. Instead of trusting a good communication provider, they trusted the security of a badly maintained illegal network."
Error number two was the Geost botmasters didn't bother to properly encrypt their C&C communications, which allowed the researchers to view their network traffic. Indeed, the researchers were first clued in to the Geost activity due to the unusually large amounts of unencrypted data that was observed being routed via the HtBot proxy network.
A third mistake was that one of the members of the Geost gang used the same HtBot proxy network a second time. "This is a huge underestimation of the security risk of using the same service twice. A better approach would have been to change the connection method every time," the researchers explain, adding that this second login allow them to further monitor the campaign and ultimately capture the perpetrators' credentials.
According to the report, the cybercriminal operation also made a mistake in hiring malware developers who lacked OpSec skills. This was evidenced by the discovery of a public web page containing a file that referenced a known Geost domain. The file turned out to be a log of a text chat covering eight months of Skype chats, many of which appeared to involve various members of the Geost operation. Furthermore, these chats were not encrypted, which allowed the researchers to conduct an open-source intelligence investigation into the cybercriminal operation.
The chat log even revealed credentials for a number of servers and services, as well as the online wallet ID and credit card numbers. "This information helped us find sensitive information about the identity of some individuals," the report states.
One particular logged conversation actually showed one conspirator longing to leave the operation: "But now im saying i am working but in fact I dont. I am getting demotivated and do not want to do anything... i thought about it, and im not in" says the user, who sports the online name taganchik.ru. Another user, powerfaer, replies, "Understand, ok. Shame. If you change your mind write to me". At one point earlier in the conversation, powerfaer actually refers to taganchik.ru by his possible real name, Alexander.
"The discovery of the Geost Android banking botnet inside the traffic of another malware proxy shows that operational security is very hard to get right, and that simple mistakes can lead to deep understanding of the operations of malware authors," the report concludes. After the discovery of the Geost botmasters accessing their C&C servers it was possible to find more and more pieces of their botnet infections, leading to a very large mapping of their attack infrastructure, their APK binaries, the number of victims infected, and an estimation of the economic size of the operation."
The researchers presented their paper today at the Virus Bulletin conference in London. A corresponding blog post from Avast is also available here.