14 DAY TRIAL // The underground malware scene is no different from any other business market, and malware coders are constantly busy churning out new viruses while also jumping at each others' throats.
After previously exposing the shady dealings of GanjaMan, a malware coder who's selling the GM Bot malware on underground markets, IBM's X-Force team has provided an updated look at the mobile malware underground landscape.
Researchers sayid that, since March, GanjaMan has managed to get himself banned from the best-known malware selling forum, and his GM Bot, the origin source of today's most vicious Android malware, is now off the main markets.
This gap was quickly filled, and IBM experts say they've identified the three candidates fighting for the top spot in Android banking malware.
KNL Bot
KNL Bot is considered the most advanced of the three. Its developer is bragging that his malware has almost all of GM Bot's features but at half the price of GM Bot's low-end package. GM Bot's cheapest version was provided at $8,000/month, meaning KNL Bot's price is around $4,000/month.
The malware's ad claims that KNL Bot can show overlay screens to trick users into thinking they're inside an authentic app, but is also capable of intercepting SMS messages, making or forwarding calls, gaining root persistence, and working in stealth mode (screen off, no sound or vibrations).
Additionally, besides the now obligatory bot control panel, KNL Bot also offers the option to control infected devices (bots) via SMS messages.
Bilal Bot
Ranked as the second-best alternative to GM Bot, Bilal Bot costs around $3,000/month, but its author is also providing free unlimited bug fixes.
Out of all sellers, the author of this malware is the most aggressive in its marketing, taking jabs at GM Bot and his competition. He claims that GM Bot is currently easy to detect because of its past history, but also because of its long list of unresolved bugs because of poor technical support.
Bilal Bot's author says that, despite his malware creation being in a testing phase, it still has all the main features to be used as an effective Android banking trojan.
The crook claims that his malware's best feature is something not yet released that will allow the buyers to edit the bank phishing overlays right from the botnet's control panel.
Cron Bot
Last but not least, there's Cron Bot, the newest malware variant on the market, spotted for the first time on April 1, 2016.
This malware strain has the advantage of working on iOS as well as Android, is only 400 KB in size, comes with a builder, and its pricing starts from $4,000/month and goes up to $7,000/month based on desired features.
The author claims that his malware includes features such as SMS hijacking, CC grabbing, user private data gathering, call forwarding, USSD grab, and overlay screens, all without root access.
As you can see, all the three malware variants, along with the original bots, are only sold as rentable services. Following the famous banking trojan leaks from the desktop malware market, malware coders are much more attached to their code and avoid as much as possible passing it to their clients so it won't get leaked by a disgruntled customer, as like it happened with other malware in the past.