Speaking at the Virus Bulletin conference in London, researchers from the Czech Technical University, National University of Cuyo (Argentina) and Avast told how they managed to find one of the largest Android botnets based on a banking trojan. The Geost botnet, they said, is now interested in 5 banks in Eastern Europe.As it turned out, the malicious network, code-named Geost, includes at least 800 thousand infected devices, and its operators total control several million euros in the accounts of their victims in five banks.
The command server of the new botnet was found by chance during the analysis of the traffic of another malware, HtBot. This malware installs a proxy server on infected devices, allowing its owners to earn on the sale of traffic anonymization services. As it turned out, Geost bots also use this cover.
Apparently, the quality of the HtBot-based proxy service left much to be desired, since the researchers were able to track the access of the device infected with the malware to the C&C server of the new botnet. Another mistake helped them get an idea of the activities of Geost operators: accomplices negotiated in a chat without using encryption. This allowed observers to find out how attackers access their servers, infect Android devices, bypass anti-virus protection, and gain access to bank accounts.
It turned out that the new trojan is spreading under the mask of legitimate banking applications and social networking clients. In terms of the set of functions, it differs little from other mobile malware – perhaps only by its variety.
“The authors of the attacks, apparently, have the ability to read SMS messages, send them, interact with banks and redirect phone traffic to other sites. Bot drivers also gain access to a lot of personal information of the user”, – say the speakers.
After infection, all SMS messages of the victim are sent to the C & C server for storage.
The infrastructure of the new botnet is quite complicated.
“Geost bot drivers have hundreds of DGA-created malicious domains, at least 13 C&C IP addresses in six countries, at least 800 thousand victims, and access to several million euros in victim accounts. We saw pictures of control panels, lists of victims and their SMS messages. The botnet can directly connect to five banks for transactions, it has deployed more than 200 APK-files simulating dozens of Android applications”, – write the authors of the study in the annotation.
A joint team of researchers contacted the affected banks and, together with them, now is trying to stop the malicious campaign.
Two of these banks carry out business operations in Western and Eastern Europe, one is part of a holding with branches in 15 countries.
User Review( votes)