The GM Bot mobile banking malware has been revamped to deploy on Android 6 devices effectively bypassing the security put in place on the operating system.
IBM X-Force Research reported this new version can work on all Android versions up to Marshmellow and reported of the demise of its original developer were incorrect, that while it had fallen into the shadows of late it is alive and has been continuously updated. GM Bot is an overlay malware that pulls personally identifiable information along with being able to access transaction authorisation codes sent via short message service (SMS), view device information, intercept, forward or initiate phone calls, or lock the device's screen.
One primary feature of the updated malware is its ability to bypass the deprecation block installed on Android. The malware's creator, known in hacking circles as GanjaMan, simply used an off the shelf open-source method, said Limor Kessem, executive security advisor for IBM Security, to SCMagazine.com in an email.
“In this case, the developer did not go far into programming genius. Rather, he used an open-source method documented on GitHub and began implementing a process enumeration to find out which app was running in the foreground — a good, heuristic way to figure it out,” Kessem said.
Prior to this revamp, IBM discovered that both GM Bot and GanjaMan had gone through some tough times. The malware was first discovered in October 2014 and then marketed until February 2016 when a disgruntled customer released the source code. GanjaMan quickly bounced back from this releasing a new version just a few weeks later with an even stronger ability to exploit the Android operating system. This enabled him to boost GM Bot's price from $5,000 (£4,100) to $15,000 (£12,250), Kessem said.
However, shortly after the release GanjaMan found himself banned from the marketplace where he sold GM Bot due to a customer dispute.
“Since then, GM Bot was believed to have vanished, but we did not expect the author to abandon his misdeeds altogether due to a mere forum ban,” Kessem said.