on 20-Mar-2016 04:47
Slempo/GM-Bot requires little introduction, as it has been the focal point of many recent publications, and is a well known threat in the world of mobile malware.
In most cases Slempo/GM-bot presents itself as “Adobe Flash Player Update”, this disguise is very popular in the mobile malware sphere, and used in order to trick the user into granting the malicious application administrator privileges.
Upon the user’s acceptance the malware is installed on the device and is capable of controlling it. Among the malware’s many functionalities are:
After completing initial installation, the malware will contact its Command & Control server, send it a list of all applications installed on the device and various other device information, and will download a configuration file which it will save locally on the device at the following path: /data/data/%App_Name%/shared_prefs/AppPrefs.xml
This configuration file contains the applications that the malware targets for credential harvesting, and the fraudulent content that performs that harvesting.
Fig. 1 – Device data and installed applications sent to C&C server.
The encoded configuration file which is downloaded from the Command & Control server contains the targeted application names and content to be displayed to the victim upon activation of a targeted application, as can be seen below:
When the malware detects activation of a targeted application, the fraudulent content contained in the configuration file is displayed to the victim on-top of the targeted application:
Fig. 4 – Fraudulent content displayed on top of legitimate application.
After entering his credentials into what the victim perceives to be the legitimate application, the malware then sends the credentials to its C&C server, as seen below:
Fig. 5: Victim’s credentials are sent to the C&C server.
Slempo targets many various financial and non-financial applications worldwide, as can be seen in the chart below:
Fig. 5: Slempo Target Distribution.
NOTE: Applications which are not region or country specific are categorized as “Other”.
Known Slempo/GM-bot Sample MD5s:
Mitigation
To learn more about F5 fraud protection and how F5 can mitigate threats such as Slempo, please read the MobileSafe datasheet as well as the WebSafe datasheet.