INSUBCONTINENT EXCLUSIVE:
Researchers from the Czech Technical University, UNCUYO University and Avast have discovered a new Android banking botnet targeting Russian
citizens that has been operating since at least 2016.The Geost botnet has infected over 800,000 Android devices according to researchers'
estimation and the hackers behind it potentially control several million Euros.The unusual discovery of the botnet was made when the hackers
decided to trust a malicious proxy network built using a malware called HtBot
The HtBot malware provides a proxy service which can be rented to provide users with a pseudo-anonymous connection to the internet
By analyzing HtBot network communication, the researchers discovered the large malicious operation.The hackers behind the botnet also failed
to encrypt their communications which gave the researchers an unprecedented view into their inner workers
Their chat logs revealed how they accessed servers, brought new devices into the botnet and evaded antivirus software.Avast researcher Anna
really got an unprecedented view into how an operation like this functions
Because this group made some very poor choices in how it tried to hide its actions, we were able to see not just samples of the malware, but
also delve deep into how the group works with lower level operatives bringing devices into the botnet and higher level operatives
determining how much money was under their control
appears to be a complex infrastructure of infected Android smartphones
The phones are first infected with Android APKs which resemble different fake applications including fake banking apps and fake social
Once an infected phone connects to the botnet, it is remotely controlled and the attackers can access and send SMS messages, communicate
with banks and redirect the device's traffic to different sites
The hackers can also access a great deal of personal information from users of these infected devices.After the infection, command and
control servers store a complete list of SMS messages of all the victims beginning the moment the device became infected
These messages are processed offline in the C-C server to automatically compute the bank balance of each victim.The Geost botnet has a
complex infrastructure made up of at least 13 C-C IP addresses, over 140 domains and more than 140 APK files
The primary targets of the banking Trojan were five banks, though the majority were from Russia.
