If a Bank Sends You Your Passwords via a Text Message, This Android Trojan Could Steal Them

Geost Banking Trojan

Do you still think that a successful malware operation depends on talented hackers creating a bespoke piece of malware that can keep security researchers and law enforcement agencies off the scent? You might want to think again. A recently discovered Android banking trojan by the name of Geost, for example, has managed to infect more than 800 thousand devices in Russia and Eastern Europe, and its operators have collected login credentials that could potentially give them access to millions of euros in victims' bank accounts.

They first launched it in 2016, and they managed to keep it under the radar until earlier this year, which is even more astonishing considering the flurry of operations security (opsec) mistakes the crooks made. Before we get to them, however, let's see how Geost works.

Geost – a powerful banking trojan that can steal your passwords

The malware was first detailed in a research paper written by Sebastian Garcia from the Czech Technical University, Maria Jose Erquiaga from the UNCUYO University in the Czech Republic, and Anna Shirokova from Avast. The researchers discovered Geost by accident while reviewing the activity of HtBot – an underground proxy network that malware operators rent in order to redirect their malicious traffic.

While monitoring the communication, the experts noticed an unusually large volume of traffic coming from Russian devices, and after a thorough investigation, they realized that they were looking at a previously undocumented strain of Android malware.

Geost's operators infect their victims by taking legitimate Android applications, boobie-trapping them, and distributing them through third-party app stores. Once it's on the device, the trojan is capable of stealing all sorts of information, though its main focus is on banking passwords.

Most of the credentials are stolen from text messages

Sebastian Garcia told ZDNet that as much as 90% of the compromised passwords were stolen after the bank sent it to the victim as an SMS.

Even if you completely disregard the fact that there are trojans like Geost that can easily steal text messages, the practice of sending online banking passwords as SMSs (which seems to be relatively common in Russia) is still very bad news because it means that the financial institutions are storing them in a human-readable format.

For banks that don't relay sensitive information over an insecure mediums, Geost is designed to phish the credentials using a one-time login form. The stolen data is redirected through the HtBot proxy network and is sent to one of at least 13 C&C servers.

Opsec facepalms led to Geost's discovery

Geost's operators obviously had no idea that the security researchers were monitoring the HtBot proxy network they had hired, but even so, they should have figured out that with more than 800 thousand infected devices, the increased traffic could draw some attention to their operation. They didn't, however, and they also forgot that they should probably do something to protect that data while it's in transit.

The crooks hadn't bothered with SSL certificates for their C&C servers, which meant that the traffic between the infected devices and the crooks' backend infrastructure was fairly easy to intercept. The experts took a peek inside the C&Cs and got a pretty good insight into how the whole operation is run.

They saw statistics on the number of infected phones, which banks were targeted the most, and they got to see first-hand how the malware exfiltrates and automatically processes text messages. This wasn't all, though.

While they were investigating, the researchers stumbled upon a Skype chat log that revealed more than eight months' worth of communication between the Geost operators. Once again, the chat history offered a brilliant close-up of what goes on during a malware operation like this. It revealed yet more opsec mistakes like the sharing of C&C passwords in plain text, and it showed that at one point, some of the cybercriminals involved in the campaign weren't especially happy with what was going on.

The log has also revealed nicknames that have been used at public websites and services, and the researchers said that they'll try to monitor the people who stand behind them. Hopefully, they'll manage to get to them because, despite all their blunders, Geost's operators have still managed to launch a large-scale campaign that is proving to be quite successful.

October 4, 2019

Leave a Reply