Researchers Trace Android Malware Back to Common Sources

The code for a number of malicious Android programs suggesst a common source, whether a developer or competing groups, according to a pair of analyses from IBM and FireEye.

Android Malware 2

Code analysis has established a link between a number of malicious Android programs, suggesting that they are likely the work of a single developer or the product of code sharing—whether intentional or inadvertent, according to a report published by security company FireEye on March 11.

The analysis focused on a malicious Android program known as GM Bot, the source code of which was leaked late last year, and the binaries of a number of other programs previously analyzed by FireEye. The company’s researchers compared the binary version of the code and found that it had enough similarities to two other programs, Slembunk and SimpleLocker, to establish a common origin.

“We do not know if [that origin] was the same developer or someone who had access to the source code,” Jimmy Su, manager of threat research for FireEye, told eWEEK. “This kind of reusing could also come from reversing the app into byte code.”

GM Bot, designed to steal banking credentials from Android phones, is a flexible Trojan that can place overlay windows on top of a banking application to steal usernames and passwords, control a phone’s texting capabilities, forward calls to the attackers and allow remote control, according to IBM, which analyzed the source code in February.

The source code for GM Bot was posted to a Russian-language forum for cyber-criminals in December 2015, according to the IBM report. The source code led researchers from IBM to conclude that the software was closely related to a few other Android programs or variants, such as MazarBot, SlemBunk, Bankosy and Slempo.

FireEye confirmed the link and found that those variants share similar major program components with GM Bot. In addition, GM Bot has similarities to a 2014 ransomware program known as SimpleLocker, FireEye’s Su said.

“We are tracing the evolution of this particular family of this malware, so we were able to attribute it to a sample that was earlier than what IBM had found,” he said.

The leak of malware source code is not an uncommon occurrence. In 2004, the alleged author of the popular Agobot posted online the source code for the malware-authoring kit, leading to a large spike in variants.

The leak of the source code for the Zeus banking trojan led to a similar increase in malware based on that source code. SpyEye, Gozi, and Carberp are among the other malicious programs whose source code was leaked in the past decade.

Malware targeting the Android mobile platform will likely become more common after the leak of source code for GM Bot, researchers said.

“It is definitely a game changer in the realm of mobile threats,” Limor Kessem, security researcher for IBM X-Force, stated in the February blog post. “Its source code leak, similar to the Zeus leak, is likely to give rise to many variations of this sort of malware.”

The analyses by both IBM and FireEye further suggest that the common set of functions could be used to create a wide variety of malware.

“Malware with specific and varied purposes can be built on a large base of shared code used for common functions such as gaining administrative privileges, starting and restarting services, and CnC [command-and-control] communications,” FireEye said in its report.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...