IBM contacted by Bilal Bot Developer for Publishing Incorrect Details about his Malware.
It’s definitely one crazy turn of events. The supposed author of malicious Trojan Bilal Bot has condemned IBM security staff for publishing incorrect information about his malware and even offered his services to correct the write-up.
Limor Kessem, the security expert at IBM, informed that he was contacted by the developer of this malware via email.
“Why would a developer of crimeware be contacting one of the largest security vendors in the world? You can imagine my surprise when I learned he (or she) was actually seeking my help to better highlight the malware [identified] in our security blog,” stated Kessem.
It must be noted that IBM had revealed details about the said malware in its official blog post in April, in which the malware was identified to be an Android banking Trojan and it was being traded on forums at the Dark Web. At that time, the beta version of the Trojan was being distributed.
According to IBM’s post, the malware was a cost-effective alternative to another powerful mobile banking Trojan, the GM Bot. Since the developers of GM Bot and KNL Bot, two infamous banking Trojans, were banned from the Dark Web, therefore, Bilal Bot became the flavor of the day and received utmost attention from malicious cyber-criminals.
Coming back to the actual news, the developer of the malware sent an email to Kessem expressing his dissatisfaction over the way IBM described the malware. Moreover, the developer was also furious that IBM did not post updated information about his malware.
Kessem reveals additional details the email:
“The alleged author wanted to inform us that Bilal Bot has now moved up from the beta version, resulting in increased features and pricing. He was not happy that we referred to it as a low cost; to him, that constitutes ‘false information’ about his product. Amazingly, he did not hesitate to contact an IBM Security employee to have that fixed!”
IBM’s security staff then immediately examined the malware as per the details explained in the email in order to verify the developer’s claims about Bilal Bot. This was later discovered by the company that the malicious malware indeed had an updated version fully equipped with new features such as call forwarding, accessing and intercepting incoming SMS messages, spying upon and exfiltration of SMS messages and overlay screen integration, etc.
According to IBM, the malware developer(s) wanted to add Tor accessibility and SMS spamming capabilities to the Trojan. Kessem explains:
“Like other mobile malware, this Trojan’s Android application package (APK) can be bound with other, more legitimate-looking apps, Trojanized games, etc. Bilal Bot samples are detected in the wild as overlay malware, based on their malicious mechanism and M.O.”
IBM has no proof of the fact that the person who contacted Kessem through email is actually the developer of the malware. The company maintains that though the sender of the email did have exclusive and legit details of the malware but there were certain issues that hinted on foul play. Such as, the email account had a .ru address, which hints at the possibility of the developer hailing from Russia. However, the malware is being sold in English. Another point is that the official email of the developer that has been listed in the sales post of Dark Web is not the same as the one from which the email was sent to IBM.
Kessem noted that:
“We cannot be certain that the email I received was indeed from the original malware author. That said, whoever sent it did seem to have a strong motivation to update the information about the malware on our blog.”
Kessem further stated that Bilal Bot’s creator contacted the firm because they referred to the malware as a low-cost alternative in comparison to GM Bot in their blog post. Maybe, after the arrival of its advanced version, the price of the malware must have gone up and since the company claimed that it was a low-cost malware, therefore, the developer was uncomfortable as this would have surely lowered the new version’s price in the market.