Android banking botnet malware based on publicly available source code has been discovered on Google Play. Weak security of the C&C server allowed ESET to analyse the botnet.
In their investigation of the botnet-forming Android banking malware, discovered on Google Play, ESET researchers discovered that both the Android Trojans and the C&C server were built using source code that was made public in December, 2016.
Android users were exposed to malware, disguised as weather forecasting apps, capable of stealing banking credentials and locking the screens of infected devices’. Two versions of the botnet-forming Trojan made it onto Google Play. Each had a lifetime of several days and together achieved thousands of downloads before being detected by ESET and taken down by the Google security team in mid-February.
A thorough investigation by ESET analysts revealed that these banking Trojans are modified versions of a source code made available online. Allegedly written from scratch, the “template” code of the binary, along with the code of the command and control server, which includes a web control panel, have been available on Russian forums since late December 2016.
“On top of the source code being available to virtually anyone, the C&C server itself has also been left accessible to whomever has the URL, without requiring any credentials,” says ESET Malware researcher Lukas Stefanko.
Analysis of the C&C server, which has been active since February 2, 2017, has revealed a list of victims. By February 23, when the C&C server was taken down by the hosting company based on ESET’s notice, the botnet contained 2,810 victims from 48 countries, but fortunately Ireland was not among them.
The fact that the source code of another example of Android banking malware has been made available online may lead to its proliferation, according to ESET security experts. “With tools for creating Android banking malware now accessible more easily and for free, Android users should take even more care about prevention,” recommends Lukas Stefanko.