Currently, users mostly from in Eastern Europe & Russia are being targeted by this botnet.
Recently, researchers from the Czech Technical University, UNCOYO University based in Argentina and Avast Security have found an Android botnet named Geost by collaborating in on the investigations and have presented it at the Virus Bulletin 2019 conference held in London.
It was uncovered initially when its traffic was captured by a HtBot Malware on the server. The malware in question was being used to access millions of Euros in bank accounts based in Eastern Europe & Russia compromising more than 800,000 victims.
The botnet was basically composed of numerous Android phones which were were infected by getting them to download malicious applications that had been uploaded by attackers on third-party Android stores. Using access to text messages on these phones, the malware took advantage of a common practice of Russian banks to send users plaintext passwords via SMS. In cases where this technique did not work, other methods such as the apps asking for login credentials were used.
With the help of 13 command and control servers, over 140 domains and over 140 APKs at its disposals, things were going pretty well for them – since 2016 – until the group members started making basic mistakes. These were those that you could reasonably expect from newbies but our cybercriminals here didn’t fail to disappoint either.
Among these, they trusted a malicious proxy network, used their command and control server along with chatting without encryption and kept on using the same services lest caring to cover their tracks. One such chat session on Skype when accessed gave insight into the workings and the mindset of the group going along the lines of:
Member 1: “Alexander, really, if we started together we need to finish it. Because for now this is working and we can earn money.”
Member 2:”I thought about it, and I’m not in.”
Member 1: “Understand, ok. Shame. If you change your mind write to me.”
According to Avast,
“These involved more than 6,200 lines, covering eight months of chats, and showed the private conversations of 29 people involved in different operations.”
The takeaway from this is best summed up by realizing that not all malware has to be complex and neither do hackers always have to be boxed up in super security facilities typing away on a green screen. Sometimes, to achieve the short term goal of earning quick cash, necessary security protocols are not followed resulting in such incidents.
Our advice remains the same as for the majority of such cases, if users avoid downloading applications and other files from untrusted sources, they wouldn’t be prey to any such malware inlet.