Our AI Center researchers together with Avast discovered a group of hackers that infected 800 000 Android users with malware. The attackers were targeting customers of five banks located in Eastern Europe and Russia with malware. This is one of the first great achievements resulting from our collaboration and will be fostered in a joint lab (mor einfo about this will come soon). We uncovered the group when examining samples of HtBot, a form of malware that provides attackers with pseudo-anonymous communication to the internet. However, when using the illegal HtBot service, the attackers did not encrypt their data, alerting us to their activity. Thanks to this OpSec (operational security) error, we were allowed look behind the scenes of a successful hacking campaign.
Our research was presented by Sebastián García and Anna Shirokova at Virus Bulletin 2019 in London. Watch the whole talk to learn more about this great scientific discovery with real-life impact.
Details of this discovery are described in a research paper (Geost Botnet. The Story of the Discovery of a New Android Banking Trojan from an Opsec Error) by our cybersecurity researcher Sebastián García on which he cooperated with Anna Shirokova from Avast and Maria José Erquiaga of UNCUYO University. It provides a rare view into a cybercrime operation falling apart due to its own operations security mistakes.
This diagram below shows the process of the discovery of the Geost botnet. A monitored bot of the HtBot malware was used by the Geost botmasters. First, the Geost botmaster connected to the HtBot network; second, the HtBot network relayed the data to our bot; third, our bot sent the traffi c to the Internet; fourth, the botmaster accessed the Geost C&C server on the Internet.
ZD Net: This huge Android trojan malware campaign was discovered after the gang behind it made basic security mistakes
Security Intelligence: Geost Banking Botnet Has Infected 800,000 Android Users Since 2016
Trip Wire: Discovery of Geost Botnet Made Possible by Attacker OpSec Fails
Avast Blog: Pulling back the curtain on a banking botnet