Researchers Trace Android Malware Back to Common Sources
The code for a number of malicious Android programs suggesst a common source, whether a developer or competing groups, according to a pair of analyses from IBM and FireEye.Code analysis has established a link between a number of malicious Android programs, suggesting that they are likely the work of a single developer or the product of code sharing—whether intentional or inadvertent, according to a report published by security company FireEye on March 11. The analysis focused on a malicious Android program known as GM Bot, the source code of which was leaked late last year, and the binaries of a number of other programs previously analyzed by FireEye. The company’s researchers compared the binary version of the code and found that it had enough similarities to two other programs, Slembunk and SimpleLocker, to establish a common origin. “We do not know if [that origin] was the same developer or someone who had access to the source code,” Jimmy Su, manager of threat research for FireEye, told eWEEK. “This kind of reusing could also come from reversing the app into byte code.” GM Bot, designed to steal banking credentials from Android phones, is a flexible Trojan that can place overlay windows on top of a banking application to steal usernames and passwords, control a phone’s texting capabilities, forward calls to the attackers and allow remote control, according to IBM, which analyzed the source code in February.
The source code for GM Bot was posted to a Russian-language forum for cyber-criminals in December 2015, according to the IBM report. The source code led researchers from IBM to conclude that the software was closely related to a few other Android programs or variants, such as MazarBot, SlemBunk, Bankosy and Slempo.