IBM malware murderer Limor Kessem says Android VXers are using legitimate screen overlay features to hose handsets.
Screen overlays do what it says on the can: applications with appropriate permission can monitor other apps and then overlay to allow entry or retrieval of data. The technique is legitimately used by popular applications like LastPass for filling in passwords and in modern Androids requires explicit user permission to run.
When used in malware, overlays trick users into entering data into a transparent malicious application that appears to be a legitimate application or web page.
Kessem says the popular GM Bot malware, one of the most prolific users of the screen overlay technique and among the priciest on the Russian malware scene, has since March increased its price from US$5000 to US$15,000.
"The mobile malware marketplace has been bustling with activity in the past few months," Kessem says.
"Mobile malware is becoming a central part of underground dealings and an important fraud frontier that’s growing in size and sophistication.
Mobile malware nowadays is picked up and operated by different ranks of cybercriminals — from professional, organised gangs to the least experienced forum readers who buy malware and rely on technical setup and support services from underground vendors."
Cheaper and less-featured knock-offs exist including Bial Bot, Cron Bot, and KNL Bot. Such inferior product costs between US$3000 and US$7000, but all sport screen-overlay robbing techniques.
KNL Bot is the closest to GM Bot in that it grants control over infected handsets to plunder banking credentials, can intercept SMS texts, and is "impossible to remove", according to authors.
It can also use SMS for command and control should victims suffer poor data connectivity.
Cron Bot is sold as a rental service, because there's no honour among thieves and its makers fear users would steal the code.
Kessem says screen overlay malware will likely become more prevalent, because it works.
The good news is that most secure apps, among them banking tools, seek out screen overlays and warn users when they appear.
FireEye researchers Wu Zhou, Junyuan Zeng, Linhai Song, and Jimmy Su have also analysed this class of malware, with their dissection of GM Bot and SlemBunk offering a nicely detailed look at their inner workings.
Mobile antivirus vendors routinely claim they can detect and crimp this class of threat. ®