Beware! This Android banking trojan intercepts SMS messages and bypasses 2SV

It may be targeting your bank already…

Beware! This Android banking trojan intercepts SMS messages

Watch out! A type of Android banking trojan capable of intercepting SMS messages is currently targeting at least 50 major banking organizations worldwide.

The malware goes by many names. Acecard, Slembunk, and Bankosy are a few, though it's most widely known as GM Bot.

In the last three months, researchers at Avast have recorded 200,000 instances in which its users have encountered the trojan. That's probably because the malware is now targeting Bank of America, American Express, Chase, Discover, JP Morgan Chase, National Australia Bank, ING Direct, Credit Karma, Deutsche Bank, and other well known financial organizations with fake login pages designed to steal customers' credentials.

Db overlay

Here's how the trojan works.

Upon downloading the malware, which usually disguises itself as adult video players found on third-party websites, it asks for administrative privileges after hiding the fake app's icon from the home screen.

Admin right request

Nikolaos Chrysaidos of Avast explains you don't want to grant right to the malware:

"With full administrative rights, GM Bot knows and can control everything happening on an infected device. The malware springs into action when an app from its list, which mainly consists of banking apps, is opened."

Sure enough, when you open a banking app the malware will overlay its own login page designed to steal your personal and financial information.

Is your account protected by two-step verification (2SV)? Not a problem for GM Bot! It takes after other banking malware like Android/Spy.Agent.SI and Trojan-Banker.AndroidOS.Tordow.a in that it can intercept SMS messages and, by extension, bypass 2SV.

Once it has gathered all the information it wants, GM Bot will send the data to a command and control (C&C) server, where its authors can abuse victims' details to commit fraud or identity theft.

Info for cc server

Chrysaidos is deeply concerned about the malware's new list of targets:

"GM Bot’s source code was leaked in late December 2015, so it is now available to everyone, so just about anyone with a bit of tech knowledge can distribute the malware. Cybercrooks can go a step further and tweak GM Bot’s code, customizing it to gather more information. This means that new variants with new and different capabilities are constantly being created."

Fortunately, users can protect themselves against GM Bot just as they would any other piece of mobile malware.

For starters, they should always download apps from trusted developers on official app marketplaces like Google's Play Store and Apple's App Store, not third-party websites.

The official marketplaces have better vetting mechanisms for their apps. Users should also make an effort to read the reviews of each app before they download, as another user could have written about some malicious activity in their reviews, as well as check to see that each app doesn't ask for excessive permissions based upon its advertised features.

Finally, users should install a mobile anti-virus solution onto their Android devices. Yes, anti-virus can have its limitations... but it does provide an additional layer of protection.

And the more protection you can get, the better off you'll be.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. Scott

    November 2, 2016 at 12:18 pm #

    Hi David, what would you recommend for AV for Android?

    • Mr Sean Durrant in reply to Scott.

      November 4, 2016 at 10:23 am #

      I use Lookout

  2. Mr Sean Durrant

    November 4, 2016 at 10:24 am #

    Does it make any difference if you have something like the Google 2 step verification app?

Leave a Reply