GM Bot, considered by many as the most advanced Android banking trojan known today, has just received a major update, which now allows it to target users of smartphones that run Android 6, aka Marshmallow.
Released in October 2015, for a period of time, many thought Android 6 to be impervious to threats like GM Bot and other malware families that rely on the tactic of overlaying fake content on top of other apps.
First signs of trouble appeared in May 2016, when Symantec researchers discovered Android malware abusing Android’s Accessibility feature to target Android 6, and then in June 2016 when malware began using two other workarounds.
GM Bot integrates AndroidProcesses
According to an IBM report released yesterday, GM Bot’s author, a malware coder named GanjaMan, had apparently read those reports as well because he integrated one of those two workarounds in GM Bot’s source code.
The latest version of GM Bot now includes source code taken from the AndroidProcesses GitHub project by Jared Rummler, which adds the capability to query the Android OS for currently running apps by reading content from the “/proc/” system file.
The ability to read a list of current running apps allows an attacker to detect recently opened apps, which are automatically added to the user’s foreground.
Knowing which app is running in the foreground allows the GM Bot malware to select and then show the proper overlay, improving the efficiency of its phishing operations.
Of course, the malware still needs to ask for admin rights via the app it’s installed on every device, so if users were careful about the apps they install, they could avoid GM Bot infections.
GanjaMan continues GM Bot development despite hacking forum bans
As for GanjaMan, IBM reports that he’s still banned from underground hacking forums, from where he was booted last winter, due to a customer dispute, after failing to provide proper customer support.