The New Era of Android Banking Botnets

In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation. In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation.
First, we will quickly introduce the audience of past Android malware families that had SMS harvest as a goal. Perkele, Zitmo and iBanking are some examples of those families.
Then, we will focus on modern Android malware evolution in terms of obfuscation, anti-analysis, C&C communication and infection mechanisms. We will also provide insights into some of those modern Android malware botnets including some not yet known to the public. The Android malware families we will be discussing are: Slempo (also known as GMBot and SlemBunk), MazarBot, Catelites, Shifu, Marcher and BankBot (also known as Maza-in).


Pedro Drimel Neto is a Threat Analyst at Fox-IT InTELL where he focuses on analysis of malware focused on cybercrime. In the past, he worked as a Malware Analyst at BlackBerry and Security Researcher at Qualys, Brazilian Government Research Center and zImperium.

Print Friendly, PDF & Email
Pedro Drimel

Pedro Drimel

Threat analyst at Fox IT
Pedro Drimel

@pdrimel

Catholic, Soccer fan, Infosec guy interested in malware analysis/RE and exploitation techniques. Tweets in EN / PT_BR
@Wartortell I remember getting the prize of the first FE CTF it's like 3yrs already, I'm an old man - 7 months ago
Pedro Drimel

Latest posts by Pedro Drimel (see all)