Report: Android Banking Botnet Targeted RussiansResearchers Discovered Geost Botnet After Attackers Made Operational Security Mistakes
A large-scale banking botnet has targeted approximately 800,000 Android devices belonging to Russian citizens since at least 2016, according to a new research report by a trio of cybersecurity researchers.
See Also: Top 50 Security Threats
The botnet, which researchers call Geost, used at least 140 malicious domains and 13 command-and-control servers scattered throughout the world to target victims and expand its reach, according to the report published on October 2 by researchers from Czech Technical University, the UNCUYO University of Argentina and security firm Avast.
Over the years, the attackers behind Geost had access to "several million Euros" within Russian bank accounts, according to the researchers. It's not clear, however, how much the group may have taken over the last three years.
The researchers found that the attackers targeted customers of at least five Russian and Eastern European banks by hijacking SMS traffic between these financial firms and their customers.
Series of Operation Mistakes By Attackers
The attackers made a series of operational and tactical errors that gave investigators unusual insights into how the botnet worked and who was targeted.
For instance, the cybercriminals failed to encrypt their communications, giving researchers a window into their inner workings. The chat logs revealed how the gang accessed servers, brought new devices into the botnet and how they evaded security tools, the research report says. The logs also allowed the researchers to monitor the group's social interactions with each other.
"Moreover, the operational security mistakes led to the discovery of the names of members of an underground group related to the Geost botmasters," according to the report. "It is seldom possible to gain such an insight into the decisions taken by attackers due to failures in their operational security."
Within those chat logs, the researchers found about 30 members, with one, known as "powerfaer," identified as the probable owner of the chat group.
The researchers say they first discovered the Geost botnet while studying malware known as Htbot, which can provide a proxy service that can be rented to give its users semi-anonymous communication across the internet.
In most cases, it's difficult for security researchers to follow the Htbot network, because the traffic is bounced from one infected device to another, which helps disguise the communications between bad actors. In this case, however, the research team monitored all the Htbot bots operating across the internet, capturing that traffic and analyzing patterns.
Through this analysis, the researchers found a command-and-control server connected to a botnet, which they later called Geost, the report notes. Repeatedly relying on the Htbot proxy network to communicate was another operational security mistake, the researchers say.
Targeting Android Devices
The Geost botnet was designed to target Android devices, according to the research report.
The devices were targeted with 150 APKs - programs for Android devices that allow users to download Gmail attachments to their devices. The researchers found that the APKs resembled a number of fake applications that mimicked legitimate apps found in the official Google Play store, including those for banks and social networks.
Once the Android devices were infected, they would connect with the attackers' command-and-control server so they could be remotely controlled. The attackers seemed most interested in accessing a victim's SMS messages, according to the report. The gang could then send SMS messages, communicate with the banks and redirect traffic.
"Once the applications are installed, it seems that they may be able to interact directly with the web services of five banks in Eastern Europe and Russia," the report states.
One reason that SMS was a target is that many Russian banks still send customers plaintext passwords for their accounts, the research shows.
In addition to monitoring the bank accounts, the controllers of this botnet could gather personal information about victims from their device, including phone numbers, full name, address, current bank account information, history of bank balances, and whether a credit card was attached to the account, the research report finds.
How Much Stolen?
In the course of their investigation, the researchers were able to access the login and main page of one of the command-and-control screens connected to the botnet. There, they found 50 names on one screen with a column labelled "Balance" that showed the amount of money in Russian Rubles in the bank accounts of the victims.
With 50 victims per page and 1,452 pages within the one server, the researchers estimated that that each command-and-control housed information on 72,600 victims, the report notes.
"Extrapolating this to the 13 command-and-control servers, a rough estimation of the total number of victims may be 871,200. It is possible that even more victims exist, given that there may be more such servers," the researchers say.
The total sum of the bank account balances of 50 victims on the one page is over 1.1 million Rubles, which is approximately $16,500. If this estimate is carried out across 800,000 victims, then the total amount of money that the attackers had access to was more than $264 million, the researchers note.
Android-based devices have become an attractive target for threat actors. Attackers usually depend on mechanisms such as fake apps and other sophisticated tools to steal sensitive credentials.
In July, for instance, a newly discovered mobile ransomware strain called Filecoder.C was seen targeting Android devices through malicious links in online forums and then spreading via contact lists through SMS messages that attempt to entice others to install an app, according to ESET(see: Mobile Ransomware Targets Android Users Through SMS).
In January, Google dropped two apps from its Play Store that were linked to banking malware called Anubis, according to researchers from Trend Micro