Leaking the trojan's source code is the worst thing that could happen, will cause more damage down the road

Feb 20, 2016 08:25 GMT  ·  By

After someone leaked the source code of a recently discovered Android banking trojan, security researchers have concluded that the recent wave of Android banking trojans originated from a common parent, being all the same.

In the past year, there was an epidemic of banking trojans targeting the Android ecosystem. Security researchers from FireEye discovered SlemBunk, Symantec blew the lid on Bankosy, and in the past week, Heimdal Security uncovered Mazar BOT.

According to the IBM X-Force team, all of these families are one of the same, originating from a threat family IBM has been tracking since 2014.

GM Bot: Mazar Bot, I am your father!

Named GM Bot, the malware emerged on the Russian-speaking cybercrime underground forums, sold for around $500 / €450. Other of its lesser-used names also included Acecard and Slempo.

As IBM explains, the author of this threat has decided to abandon the current version (v1) and move on to working on a new iteration, but not before selling its distribution rights for its most recent variant (known as Mazar BOT) to another criminal.

Mazar BOT's source code leaked when the administrator of an underground hacking forum purchased it from this criminal and decided to start offering it as a reward for his own site's registered users.

The source code was placed in a password-protected archive, and registered forum users could PM the forum admin and ask for the password. Of course, things didn't go as planned, and users started sharing the password among them, and in no time, the Mazar BOT source code was being shared all over the hacking underground.

Malware source code leaks are the worst thing that can happen to users

So what now? If there's something that malware history has taught us, it is that after the source code of dangerous malware gets leaked, a surge of even more dangerous and more sophisticated malware of the same category follows. And Mazar BOT is one of the, if not the, most dangerous banking trojan in the Android ecosystem.

The exact same thing happened with the source code of the PC-based Zeus banking trojan. After someone leaked it online, criminals created their own versions, and many of today's top-ranked banking trojans are derived in some way or another from Zeus.

But the code does not have to be forcibly leaked to be bad. In the past year, a Turkish security analyst made the mistake of open-sourcing the code of two ransomware families. What happened next was a total disaster that sparked an invasion of ransomware families derived from its codebase, most of which didn't work properly and sometimes lost user files for good.