Security Experts:

Mobile Malware Market Increasingly Competitive

Mobile malware developers are competing for market share by creating highly sophisticated products or low-cost alternatives to existing offerings.

An analysis of the mobile malware marketplace conducted by IBM X-Force researchers showed that cybercriminals looking to make a profit by targeting smartphone users have plenty of products to choose from.

One of the most long-standing mobile malware families is GM Bot, also known as MazarBot, SlemBunk, Bankosy, Acecard and Slempo. This Android Trojan allows malicious actors to steal sensitive information from users by displaying phishing pages on top of legitimate banking applications in what is known as an overlay attack.

The source code of GM Bot v1 was leaked earlier this year and, shortly after, the malware’s developer announced the release of the second version, which he claims has been written from scratch.

GM Bot is highly sophisticated, but since it’s priced at $15,000 plus a monthly fee, some cybercriminals might be looking for less expensive alternatives. According to IBM, there are several Trojans that cost less and while they might not be as sophisticated as GM Bot, they’re all advertised as having overlay and data theft capabilities.

One of them is KNL Bot, a threat that has been around for at least as long as GM Bot, but which costs only half as much. The seller claims KNL Bot, whose package includes a botnet control panel, has all the functionality needed to steal banking credentials and payment card data.

Another alternative is Bilal Bot, a piece of malware that is less sophisticated than KNL Bot and GM Bot. Bilal Bot currently costs only $3,000, which includes unlimited bug fixes.

While it’s still in testing mode, the malware’s authors promise a variety of fraud-enabling features, including overlay screens, SMS hijacking and call forwarding capabilities. The developers say customers will be able to customize the overlay screens from the control panel before sending them to the malware.

IBM researchers also found a newcomer dubbed Cron Bot, which first appeared on underground cybercrime websites on April 1. Cron Bot can be rented for a monthly fee ranging between $4,000 and $7,000, depending on the package.

Cron Bot’s authors promise a set of features commonly found in PC Trojans, including VNC, injection, loader, keylogger, SOCKS5 and cmd modules. An Android application package (APK) that is rented separately offers features that are similar to other mobile threats, including functionality for hijacking SMSs, call forwarding, overlay screens, and harvesting payment card and other types of information.

“KNL, Cron and Bilal are only three current-day examples from a mobile malware marketplace that has been gaining rapid momentum on many levels. Mobile malware nowadays is picked up and operated by different ranks of cybercriminals — from professional, organized gangs to the least experienced forum readers who buy malware and rely on technical setup and support services from underground vendors,” Limor Kessem, executive security advisory at IBM, wrote in a blog post.

“The rising supply of different offerings, including low-cost alternatives, may be in response to the rising demand for fraud-facilitating wares at a time when full-fledged banking Trojans have become the domain of organized crime groups. Overlay Android malware is fueled by cybercriminal buyers who see this capability as a panacea to the fraud endeavors they cannot carry out without a banking Trojan operation,” Kessem added.

Related: Asacub Android Malware - Spyware, Banking Trojan, and Backdoor

Related: Nasty "Brain Test" Android Malware Returns to Google Play

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.