Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Is Slempo/GM-Bot the new standard for mobile malware?

Shaul_Vilkomir-
Historic F5 Account

on ‎20-Mar-2016 04:47

Introduction

Slempo/GM-Bot requires little introduction, as it has been the focal point of many recent publications, and is a well known threat in the world of mobile malware.

In most cases Slempo/GM-bot presents itself as “Adobe Flash Player Update”, this disguise is very popular in the mobile malware sphere, and used in order to trick the user into granting the malicious application administrator privileges.

Upon the user’s acceptance the malware is installed on the device and is capable of controlling it. Among the malware’s many functionalities are:

  • Intercept, redirect and block SMS messages and calls
  • Lock and unlock the device
  • Wipe the device
  • Display it’s own content over legitimate applications
  • Send stolen user credentials (obtained by displaying fake content) back to the Command & Control server.

After completing initial installation, the malware will contact its Command & Control server, send it a list of all applications installed on the device and various other device information, and will download a configuration file which it will save locally on the device at the following path: /data/data/%App_Name%/shared_prefs/AppPrefs.xml

This configuration file contains the applications that the malware targets for credential harvesting, and the fraudulent content that performs that harvesting.

 

0151T000003d6oTQAQ.png

Fig. 1 – Device data and installed applications sent to C&C server.

 

Encoded Configuration & Fraudulent Activity

The encoded configuration file which is downloaded from the Command & Control server contains the targeted application names and content to be displayed to the victim upon activation of a targeted application, as can be seen below:

 

0151T000003d6oUQAQ.png

Fig. 2 – A snippet of the encoded configuration file

 

0151T000003d6oVQAQ.png

Fig. 3 – Decoded configuration snippet showing fraudulent HTML content to be displayed on top of the targeted application and harvest user’s credentials.

 

When the malware detects activation of a targeted application, the fraudulent content contained in the configuration file is displayed to the victim on-top of the targeted application:

 

0151T000003d6oWQAQ.png

Fig. 4 – Fraudulent content displayed on top of legitimate application.

 

After entering his credentials into what the victim perceives to be the legitimate application, the malware then sends the credentials to its C&C server, as seen below:

 

0151T000003d6oXQAQ.png

Fig. 5: Victim’s credentials are sent to the C&C server.

 

Targets

Slempo targets many various financial and non-financial applications worldwide, as can be seen in the chart below:

0151T000003d6oYQAQ.png

Fig. 5: Slempo Target Distribution.

NOTE: Applications which are not region or country specific are categorized as “Other”.

Known Slempo/GM-bot Sample MD5s:

  • 288ad03cc9788c0855d446e34c7284ea
  • e740233e0a72be4db2dcd5d5b7975fa0
  • 3ef8e4ea08e9eff6db3c9ebf247a97b5
  • 45e66a89db86309673d33b1aa4047fd1
  • a5387f3487c0749394def743a7345c47
  • f90cded5ec2a6c29b636945af85e3069

 

Mitigation

To learn more about F5 fraud protection and how F5 can mitigate threats such as Slempo, please read the MobileSafe datasheet as well as the WebSafe datasheet.

Labels:
0 Kudos
Version history
Last update:
‎20-Mar-2016 04:47
Updated by:
Contributors
Copyright © 2023 Khoros, LLC