Cybersecurity researchers have discovered a new Android banking trojan that was being used to gather intelligence on its victims, including how much money they had.
According to a joint announcement, researchers from the Czech Technical University, UNCUYO University and the cybersecurity firm Avast discovered the Geost botnet through a “rare chain of OpSec mistakes”. Hackers were using a compromised proxy network called HtBot to communicate, and even failed to encrypt the communication, which eventually led to their discovery.
This discovery unveiled the botnet which infected more than 800,000 Android devices and potentially controlled a few million Euros. The hackers were spreading fake Android applications, including fake bank and fake social network apps. Once infected, the phones connect to the botnet, allowing hackers remote access and control.
The hackers would mostly access and send SMS, communicate with banks, redirect traffic and gather data. This allowed them to map out their victims and understand who has the largest balance of money.
The botnet had a complex infrastructure including at least 13 C&C IP addresses, more than 140 domains, and more than 140 APK files. Five banks, mostly from Russia, were the primary targets of the banking trojan, and full details are revealed in the paper of the research.
“We really got an unprecedented view into how an operation like this functions,” said Anna Shirakova, researcher at Avast. “Because this group made some very poor choices in how it tried to hide its actions, we were able to see not just samples of the malware, but also delve deep into how the group works with lower level operatives bringing devices into the botnet and higher level operatives determining how much money was under their control. All told, there were over eight hundred thousand victims and the group potentially controlled millions in currency.”