A series of basic mistakes gave researchers an unexpected front seat of how a criminal gang operated an Android banking botnet.
The Geost botnet, in operation since at least 2016, consisted of at least 140 command-and-control servers, 140 domains, more than 140 Android packages, and over 800,000 infected Android devices, researchers from the Czech Technical University, UNCUYO University, and Avast said at the Virus Bulletin conference in London. The botnet’s malware was a banking Trojan and primarily focused on five banks in Eastern Europe and Russia. The group is estimated to have controlled several million Euros, the researchers said.
The researchers discovered the botnet through a “rare chain of OpSec mistakes,” such as not using encryption for their communications and reusing third-party services. As a result, the researchers were able to see malware samples as well as see how the operation was organized across different teams. They were able to see how money transfers were made, how the malware was developed, and how the different operatives interacted. The researchers were able to identify two of the criminals in the group, as well.
“We really got an unprecedented view into how an operation like this functions,” Avast researcher Anna Shirakova said.
The group made “some very poor choices in how it tried to hide its actions,” Shirakova said. One choice was using a proxy network called HtBot to get online, and the other was not encrypting their connections while using the proxy. They made other mistakes, such as reusing different services with the same credentials and leaving a Skype chat log of conversations between several of the group’s developers on a publicly accessible website.
The group’s decision to rent a malicious proxy network built by the HtBot malware made it possible for the researchers to find them. The proxy service provides customers with pseudo-anonymous connections to the internet, but what the group didn’t realize was that the researchers had already been studying malware samples and looking at the service. Because the group didn’t encrypt their activities over the proxy network, the researchers were able to see what they were doing.
The group wasn’t really focused on encryption, as they relied on regular, unencrypted messaging tools. The researchers found Skype chat logs on public servers that revealed how the criminals accessed the servers, infected new devices, and created malware that could evade antivirus software. The chat logs also illustrated how the group handled money laundering and payments, and how the group used information collected from infected Android devices to break into victims’ bank accounts.
"Criminals don't want to spend years developing – they don't have the money or resources for it,” Shirokova said. “Most of the time it’s simple because criminals use something which is available. They just want to make money.”
Despite the relative unsophistication of the group’s communication methods, the botnet they were running was a complex infrastructure of infected Android smartphones. The group modified legitimate Android APKs from Google Play to include malicious capabilities such as intercepting SMS messages and collecting user information. These APKs—weaponized version of popular banking, gaming, and social networking apps—were uploaded to third-party Android app stores.
Once the phone was infected and connected to the botnet, the attackers use the command-and-control servers to access and send SMS messages from the device, communicate with targeted banks, and redirect the device’s traffic to other sites. The attackers kept track of the vicitms’ bank balances to determine who had the most money to steal. Since the attackers controlled the SMS on the infected device, they were able to intercept messages from banks containing passwords in plaintext.
"Sometimes people think the most efficient malware should be super-obfuscated, super-developed for years and years. Sometimes that's true, but in most cases it's very simple," Shirokova said.
Along with seeing how the group functioned, the chat logs gave researchers insights into how the criminals felt about their activities. There was one member who wanted to quit the operation, but a team leader urged that person to stick it out, according to the Skype chat logs the researchers found. "If we started together we need to finish it. Because for now this is working and we can earn money," the leader told the member. “Not every day we are getting 100k for promotion.”
As the botnet is still active, the researchers plan to keep digging, and try to identify the criminals running Geost. The chat logs revealed two usernames that are believed to belong to two of the leaders in the operation. The usernames appear to have been used on other websites, giving researchers a good starting point.