Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Researchers from the Czech Technical University, UNCUYO University and Avast studied the Geost Android botnet and the history of its creators, presenting a report on their research at the Virus Bulletin 2019 conference.
A number of mistakes made by criminals led to the disclosure of a banking botnet aimed at residents of Russia. According to researchers, the Geost botnet has been operating since 2016, has already infected more than 800,000 Android devices, and could also control several billion rubles.
The unusual discovery was made after hackers decided to trust a malicious proxy network created using the HtBot malware. This is a proxy service that can be rented to enable users to communicate pseudo-anonymously on the Internet. It was HtBot's network analysis that led to the detection and disclosure of a major malicious campaign that affected more than 800,000 Android devices.
The attackers were extremely unfortunate in their choice of anonymization platforms to hide their tracks. So, they failed to encrypt messages, which allowed researchers to find out details about their inner work. The detected chats showed how hackers accessed servers, introduced new devices into the botnet, and avoided antivirus software. But the most interesting thing is that the researchers were able to detect even the private correspondence of the attackers.
In one of these Skype conversations, a member of the group says that he wants to leave her, but the team lead persuades him to stay: “Alexander, if we started together, we need to finish the work together too. Now it works and we can make money. It's not every day that we get 100 thousand for a promotion. "
Researchers do not quite understand what is meant by "promotion", since the conversation also mentioned money laundering and payments using systems popular among Russian-speaking cybercriminals. Further analysis showed how hackers inject devices into a botnet, how a banking Trojan is delivered to a victim's bank account.
Geost botnet and banker
The botnet, which the researchers dubbed Geost, is a complex infrastructure of infected Android devices. Attackers take legitimate applications from the Google Play store as a basis for malware, edit the code to add malicious capabilities to the actual functionality of the application, and then upload the applications to third-party Android stores. Such counterfeits, for example, imitate games, banking applications and social networking applications.
Once such malware is installed on a phone, it becomes part of a botnet and can be controlled remotely. Typically, attackers can gain access to SMS messages, send them, communicate with banks, and redirect phone traffic to different sites. Also, hackers gain access to a huge amount of personal information about the user. Sometimes malware operators have also triggered the display of fake pop-ups asking for credentials.
After infection, the command and control server saves a complete list of victims' SMS messages, starting from the moment the device was infected. SMS messages are then processed offline on the C&C server to automatically calculate the balance of each victim. After processing the data, malware operators can find out which of the victims has the largest account balance.
The botnet has a complex infrastructure with at least 13 IP addresses, over 140 domains, and over 150 APK files. The main targets of the banking Trojan were five banks, which are mainly located in Russia. Two of these banks do business in Western and Eastern Europe, one is part of a holding with branches in 15 countries.
Since Geost is still active at the moment, the researchers plan to continue to use their knowledge of the group to continue tracking its activities. Indeed, despite the weak operational security of the attackers, they still have access to the vast network of infected devices.
