In the last few days there have been news about yet another malware source code leak. Malware source code is usually sold for quite high prices on underground forums, where the original developers can require fees of thousands or even tens of thousand USD for source code with optional support. In the latest leak the source code for what has become known as Bankbot is revealed. The Bankbot trojan has basic functionality such as gaining administrator (“root”) privileges, communication with command and control servers, intercepting SMS messages, tracking of devices, showing dialogs and stealing sensitive information entered by the end user. The source code as leaked contains attacks for 39 Russian banks and payment service providers, but it is likely that other non-leaked variants contain attacks for other regions.
Currently the two most common vectors for spreading malware is to either create fake and seemingly benign applications for the official Google Play Store or to take commercial applications, add malware functionality, and then upload the result to a pirate site for users to download “for free”. Of course, if you’re careful with what applications you install on your phone, and don’t enable installing from unknown sources you’re at least somewhat safe from this way of spreading malware. Still, as has been shown by security vulnerabilities such as Stagefright many devices are vulnerable to malware even if the user does not explicitly install an application. Simply viewing a web page can be enough to run malicious code. If you think that you’re safe from this type of threat you’re advised to try Stagefright Detector, which might give you a surprise.
With more malware source code in the wild it also becomes harder for anti-virus vendors to claim that they’re able to detect most types of malware. As anyone can recompile (and potentially obfuscate) the downloaded source code there is the potential of an endless number of new binary patterns for the anti-virus software to look for. It also makes the job for the automatic malware scanning used by vendors such as Google much harder, as more source code in the wild creates a stronger malware ecosystem.
What is the solution? In Protectoria we believe that the only way to protect against malware such as this is to harden the most critical parts of your application: The authentication and transaction authorization procedures.