Over the course of three months, more than 200,000 users have downloaded apps infected with an Android malware derived from the source code of the GM Bot, Czech security firm Avast reports.

GM Bot is a banking trojan created in 2014 and released for the first time on Russian underground hacking forums in October 2015.

The trojan was a tremendous success, and many malware authors have bought its source code from its creator, a malware developer named Ganjaman.

While Ganjaman can take full credit for creating one of the most dangerous Android malware families known to date, he lacked one feature from his service, and that was customer support.

GM Bot v1 source code leaked in February 2016

By February 2016, Ganjaman's deficitary customer support had angered one of his clients, who, as revenge, released the source code of GM Bot online, for free.

This little setback didn't destroy Ganjaman's business, who secretly had been working on a successor to GM Bot, which he released a month later in March 2016, under the name of GM Bot v2.

In spite of a new and seriously improved Android banking trojan, Ganjaman's deficitary customer support eventually got him banned from most underground hacking forums, where he was advertising his creation.

But by this time, GM Bot had become very popular and a common name among Android malware developers and distributors, who often relied on it to create GM Bot variations, such as malware detected under the names of Acecard, Bankosy, or SlemBunk, all GM Bot variants with different features.

One of the most quirky GM Bot variations was found inside an app that asks users to take a selfie with their ID cards.

GM Bot variation asking users for a selfie with their ID card
GM Bot variation asking users for a selfie with their ID card

Despite not being allowed on most major hacking forums, GM Bot continued to thrive, and just this past month, the malware received support for infecting smartphones running Android 6.0.

How GM Bot infections work

Crooks use GM Bot by packaging the malware inside an app, usually disguised as an adult video player or a fake Flash Player for Android devices. These apps are usually distributed outside of the Google Play Store, and despite Google's efforts to alert users of installing unverified apps, some users ignore all warnings.

After the user installs a GM Bot-infected app, the malicious application will constantly pester the user for admin rights. The reason to request admin rights is for the malware to have the power to overlay fake login screens on top of legitimate apps, usually home banking mobile apps for well-known banks and financial services.

GM Bot popularity's and an influx of new features have ensured that Ganjaman had a steady flow of revenue, so he can dedicate the time needed to create overlay popup screens that target a large number of banks from around the world.

Avast says it detected recent GM Bot variations that can target the following banks across different countries.

===============================
USA and Canada
===============================

BNC

American Express

Chase

CIBC

Citi Bank

ClairMail

Coinbase

Credit Karma

Discover

goDough

First PREMIER bank

Bank of America

JPMorgan Chase

Skrill

Western Union

PayPal

PNC

SunTrust

TD Bank

TransferWise

Union Bank

USAA

U.S. Bank Access Online Mobile

Wells Fargo


===============================
Austria
===============================

BAWAG P.S.K.

easybank

ErsteBank/Sparkasse

Volksbank

Bank Austria

Raiffeisen

Australia

Bank West

ING Direct

National Australia Bank

Commonwealth Bank

Bank of South Australia

St. George Bank

Westpac


===============================
Germany
===============================

Deutsche Bank

ING DiBa

DKB

Sparkasse

Comdirect

Commerzbank

Consorsbank

Volksbank Raiffeisen

Postbank

Santander


===============================
France
===============================

ING Direct

Crédit Mutuel de Bretagne

Crédit Mutuel Sud Ouest

Boursorama Banque

Téléchargements

Caisse d'Epargne

CIC

Crédit Mutuel

La Banque Postale

Groupama

MACIF

Crédit du Nord

Axa

Banque Populaire

Crédit Agricole

LCL

Société Générale

BNP Paribas


===============================
Poland
===============================

Comarch

Getin Group

Citi Bank

Bank Pekao

Raiffeisen  

BZWBK24

Eurobank

ING Bank

mbank

IKO

Bank Millennium


===============================
Turkey
===============================

Akbank Direkt

QNB Finansbank Cep Şubesi

Garant

İşCep

Halkbank

VakıfBank

Yapı ve Kredi Bankası

Ziraat

As GM Bot spreads its tentacles to support more and more banks from more and more countries, users should start thinking about installing antivirus solutions on their phones, just like they do with their desktops and laptops.

Related Articles:

New Medusa malware variants target Android users in seven countries

Over 90 malicious Android apps with 5.5M installs found on Google Play

Google Pixel 6 series phones bricked after factory reset

Rafel RAT targets outdated Android phones in ransomware attacks

Snowblind malware abuses Android security feature to bypass security