A chain of operational security lapses led to the discovery of a large Android banking botnet targeting Russian citizens. A new botnet dubbed Geost that has been active since at least 2016 has infected more than 800,000 Android devices and potentially accessed several millions Euros in the bank accounts of the victims, according to researchers from Czech Technical University, UNCUYO University, and Avast.
The existence of the Geost botnet came to light because of several OpSec mistakes made by its operators. The discovery was made when the botmasters decided to trust a malicious proxy network built using a malware called HtBot that converts the infected victim into an unwilling and illegal proxy that receives traffic from the underground HtBot network and sends it to the Internet. During the analysis of the HtBot network communication, the researchers uncovered a large malicious operation infecting more than 800,000 Android-based devices.
In addition to the use of a non-reliable anonymization platform to cover their tracks, the botmasters also failed to encrypt their command-and-control servers and chat sessions, re-used security services and collaborated with other attackers with even less OpSec. All of these allowed researchers to sneak a peak on inner workings of the group, specifically, how the criminals accessed servers, gathered new devices into the botnet, how they evade antivirus software, and also to get a clue about their social relationship within the group.
The Geost malware operation involves at least 13 command-and-control servers (C&C) in six countries and more than 140 malicious domains. The malware is distributed via fake, malicious applications; it compromises Android devices so that attackers can remotely interact with the web services of five specific banks in Eastern Europe, potentially allowing them to steal money.
“The botnet could directly connect to the top five banks in Russia to operate, and deployed more than 200 Android APKs to fake dozens of applications,” the research team revealed. “It seems that one of the goals of the botnet is to access the personal information of the victims through their SMS messages, including those messages sent by the banks.”
One of the analyzed Geost’s C&C servers contained 1,452 pages of victim information, with 50 victims listed per page for an estimated total of 72,600 victims. On one sample page, the researchers found a set of 50 victims who collectively possessed 1,129,152 rubles (~15,000 Euros) in their bank accounts. Extrapolating this number to the estimated 871,200 victims the researchers came to a conclusion that the Geost operators could have had access to more than 800,000 accounts, collectively holding about 240 million Euros in funds.
“The discovery of the Geost Android banking botnet inside the traffic of another malware proxy shows that operational security is very hard to get right, and that simple mistakes can lead to deep understanding of the operations of malware authors. After the discovery of the Geost botmasters accessing their C&C servers it was possible to find more and more pieces of their botnet infections, leading to a very large mapping of their attack infrastructure, their APK binaries, the number of victims infected, and an estimation of the economic size of the operation. Finally, it was possible to use open-source intelligence to relate a group of developers to part of the infrastructure-building process of the botnet. The developers do not seem to be the Geost botmasters, but an underground group related to them,” the report concluded.