Geost Botnet

The Geost Botnet is a network of infected Android devices that specializes in distributing banking Trojans. Unusually, the Geost Botnet targets the finances of its members, instead of attacking third parties, and equally oddly, prefers the customers of Russian banking services. Android phone users can have compatible anti-malware protection remove the Geost Botnet, and should contact their bank for other steps to take afterward immediately.

Insecurity for Criminals Becomes Forewarning for Their Victims

A particularly enterprising team of criminals is collecting funds from hundreds of thousands of Russian banking customers. While their boldness for targeting Russian finance is notable, considering that nation's unique relationship with cyber-criminals, it doesn't correspond to conservative operational behavior. Poor choices on the part of this threat actor have given the world a close look at the previously-invisible Geost Botnet.

The Geost Botnet is unusual in several ways, albeit not its motivation of making money via theft. It targets Android smartphones, compromising them through fake applications for social messaging or financial Web services. Then, it recruits the devices into its botnet – although its technique of doing so is a part of its downfall.

The Geost Botnet uses a proxy service based on Htbot, which is insecure sufficiently that it gave security researchers a lead into the Trojan's C&C infrastructure. Criminal communications without encryption provided even more information, including such crucial pieces as their AV avoidance techniques, and such personal ones as the relationships between Black Hats as individual actors.

Despite all quirks, the Geost Botnet still is devoted to making money, by the straightforward method of dropping a banking Trojan that compromises the browser and related applications for accessing bank accounts.

What the Geost Botnet's Victims Lose Besides Their Money

The Geost Botnet's threat actors are interested in exploiting SMS messaging capabilities, hijacking users' browsers and forging bank communications. All of these are possible tactics for collecting passwords and other security information. Not-so-coincidentally, the Geost Botnet's criminal team also accesses a vast and invasive quantity of the user's information.

The Geost Botnet's capabilities could apply just as well to many banking organizations. However, malware experts are verifying the lack of any non-Russian ones in its current campaign. The ones whose customers are under attack are well-financed and large, which indicates that a lack of technical expertise or funding isn't the reason for this overall strategic decision.

Android users with a possible infection should assume that all SMS content, among other information, is in criminal hands. Anti-malware solutions that are suited to that OS, hopefully, will delete the Geost Botnet at the 'fake application' stage.

European universities, the cyber-security industry, and Russian banking organizations are working together to put an end to the Geost Botnet. For now, however, its eight hundred thousand infected phones are potential wellsprings of profit.