Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

GM Bot malware campaign targets 94 mobile banking apps

A recently discovered Android banking malware campaign targets 94 mobile banking apps used by individuals across at least seven countries including the U.S.

The malware, a new variation of GM Bot, disguises itself as a Adobe Flash Player program, according to a blog post today by cybersecurity firm Fortinet. But in reality, it creates fraudulent overlays that appear whenever a legitimate banking app is opened, tricking users into entering their log-in credentials so attackers can steal them. U.S. financial institutions and services targeted in this mobile scam include Citibank, Chase, Paypal, TD Bank and many others – but the scam also includes banks operating in Austria, Australia, France, Germany, Poland and Turkey.

The malware also targets various social media mobile apps by opening a malicious overlay page that asks for payment card information when these apps are opened. The affected apps include Calculator, Facebook, Facebook Messenger, the Google play store, Instagram, Skype, Snapchat, Twitter, Viber and Whatsapp.

Once launched, the malware, under the guise of the Google Play service, asks the user for myriad permissions that grant the malware administrator-level access to the device – thus allowing attackers to peruse your contacts, read your web bookmarks and history, modify or delete USB storage contents and more.

The malware also acquires the ability to reset factory settings – which can result in drastic data loss – and also control SMS messaging, which effectively nullifies two-factor authentication security measures, Fortinet warned. “This malware implements multiple malicious functionalities into a single app and takes full advantage of a successful infection,”the blog post reads.

Even if the request for admin rights is rejected, the malware will repeatedly display the request until the victim ultimately relents.

Fortinet security analyst and blog post author Kai Lu detected the malware sample on Oct. 21. “GM Bot's source code was leaked in late December 2015, so anyone can update it with new capabilities and distribute it,” said Lu, in an email interview with SC Media. The fake Flash app's method of distribution is not known at this time.

Upon installation, the malware also gathers information about its host device – including its IMEI number, ISO country code, Android OS version, device model, phone number and installed applications – and communicates it to a command-and-control server. Later, after the victim inputs his or her payment card details, the malware verifies if the card number is valid and sends that to the C&C server as well.

To uninstall the malware, Fortinet has advised device owners to disable admin rights and uninstall the fake Flash Player. If the malware's relentless use of overlays prevents victims from uninstalling the malware conventionally, they can instead access the Android Debug Bridge and use the command ‘adb uninstall [packagename]' to rid themselves of the program.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.