14 DAY TRIAL // During the past weeks, the IBM X-Force team has come across a second version of the infamous GM Bot banking trojan, a highly dangerous and very efficient malware family targeting Android users.
GM Bot came to light only in the recent months, and more specifically, after IBM discovered a connection between the malware and other banking trojans that had been ravaging Android devices around the world.
Providing more insight on how this malware evolved, IBM has put together a timeline of what really happened in underground hacking forums in recent years as far as this threat is concerned.
GM Bot appeared in 2014 and spawned different variations
GM Bot v1 first appeared online in October 2014, when its creator, GanjaMan, started offering it for $5,000. For its time, the malware was very advanced, and as it turned out, many crooks purchased it and used some of its source code for creating their own GM Bot variants.
Things changed a few months back, when development on the malware stopped, and GanjaMan transferred the malware's source code to another developer.
This developer was also renting it out to other users, one of whom decided to leak its source code on his forum, to gain notoriety among the hacking community.
As it turned out, having access to GM Bot's source code allowed IBM to establish connections between other Android banking malware, such as SlemBunk, Bankosy, Mazar BOT, and even the recently discovered AceCard.
GM Bot v2 surfaces on underground hacking forums
GM Bot's source code, as well as the fact that so many other developers have used it to to create malware that security companies have called "some of the most sophisticated Android malware threats they've seen," has made GanjaMan a celebrity on the hacking underground.
Because of this, when GanjaMan released GM Bot v2, he decided to charge three times more than he did for v1, asking for $15,000 for the malware+exploits, along with a monthly fee of $2,000.
In case users only wanted the malware, without GanjaMan's three exploits, which would have guaranteed root access to the device, customers would pay only $8,000 and a monthly fee of $1,200.
This is only a "testing" version
GanjaMan says that this is only a testing version and that new features will be added. Plans for future GM Bot v2 features include the trojan's ability to work via TOR connections. The name under which GanjaMan seems to be selling GM Bot is Skunk.
Technically, GM Bot v2 is written from scratch, mainly because security firms have started in the past months to detect and break down v1. GanjaMan provides three exploits for getting root access, but IBM says that these leverage known vulnerabilities that work only on older Android OS versions.
The hacker was also open to the idea of partnering with other cyber-crooks, for the purpose of providing support to buyers and avenues of infection (user traffic to buyers), and so on.
UPDATE: Shortly after this article's publication, FireEye has also put out a report saying that their researchers confirm similarities between GM Bot and Android banking malware like SlemBunk.
Here's a short excerpt from the report: "Using IBM’s reporting, we compared their GM Bot samples to SlemBunk. Based on the disassembled code of these two families, we agree that there are enough code similarities to indicate that GM Bot shares a common origin with SlemBunk. Interestingly, our research led us to identify an earlier malware family named SimpleLocker – the first known file-encryption ransomware on Android – that also shares a common origin with these banking trojan families."