Beware! This Android banking trojan intercepts SMS messages and bypasses 2SV

It may be targeting your bank already…

David bisson
David Bisson

Beware! This Android banking trojan intercepts SMS messages

Watch out! A type of Android banking trojan capable of intercepting SMS messages is currently targeting at least 50 major banking organizations worldwide.

The malware goes by many names. Acecard, Slembunk, and Bankosy are a few, though it’s most widely known as GM Bot.

In the last three months, researchers at Avast have recorded 200,000 instances in which its users have encountered the trojan. That’s probably because the malware is now targeting Bank of America, American Express, Chase, Discover, JP Morgan Chase, National Australia Bank, ING Direct, Credit Karma, Deutsche Bank, and other well known financial organizations with fake login pages designed to steal customers’ credentials.

Db overlay

Here’s how the trojan works.

Upon downloading the malware, which usually disguises itself as adult video players found on third-party websites, it asks for administrative privileges after hiding the fake app’s icon from the home screen.

Admin right request

Nikolaos Chrysaidos of Avast explains you don’t want to grant right to the malware:

“With full administrative rights, GM Bot knows and can control everything happening on an infected device. The malware springs into action when an app from its list, which mainly consists of banking apps, is opened.”

Sure enough, when you open a banking app the malware will overlay its own login page designed to steal your personal and financial information.

Is your account protected by two-step verification (2SV)? Not a problem for GM Bot! It takes after other banking malware like Android/Spy.Agent.SI and Trojan-Banker.AndroidOS.Tordow.a in that it can intercept SMS messages and, by extension, bypass 2SV.

Sign up to our free newsletter.
Security news, advice, and tips.

Once it has gathered all the information it wants, GM Bot will send the data to a command and control (C&C) server, where its authors can abuse victims’ details to commit fraud or identity theft.

Info for cc server

Chrysaidos is deeply concerned about the malware’s new list of targets:

“GM Bot’s source code was leaked in late December 2015, so it is now available to everyone, so just about anyone with a bit of tech knowledge can distribute the malware. Cybercrooks can go a step further and tweak GM Bot’s code, customizing it to gather more information. This means that new variants with new and different capabilities are constantly being created.”

Fortunately, users can protect themselves against GM Bot just as they would any other piece of mobile malware.

For starters, they should always download apps from trusted developers on official app marketplaces like Google’s Play Store and Apple’s App Store, not third-party websites.

The official marketplaces have better vetting mechanisms for their apps. Users should also make an effort to read the reviews of each app before they download, as another user could have written about some malicious activity in their reviews, as well as check to see that each app doesn’t ask for excessive permissions based upon its advertised features.

Finally, users should install a mobile anti-virus solution onto their Android devices. Yes, anti-virus can have its limitations… but it does provide an additional layer of protection.

And the more protection you can get, the better off you’ll be.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “Beware! This Android banking trojan intercepts SMS messages and bypasses 2SV”

  1. Scott

    Hi David, what would you recommend for AV for Android?

    1. Mr Sean Durrant · in reply to Scott
  2. Mr Sean Durrant

    Does it make any difference if you have something like the Google 2 step verification app?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.