Android banking botnet targets thousands

Phone malware
(Image credit: Shutterstock)

Researchers from the Czech Technical University, UNCUYO University and Avast have discovered a new Android banking botnet targeting Russian citizens that has been operating since at least 2016.

The Geost botnet has infected over 800,000 Android devices according to researchers' estimation and the hackers behind it potentially control several million Euros.

The unusual discovery of the botnet was made when the hackers decided to trust a malicious proxy network built using a malware called HtBot. The HtBot malware provides a proxy service which can be rented to provide users with a pseudo-anonymous connection to the internet. By analyzing HtBot network communication, the researchers discovered the large malicious operation.

The hackers behind the botnet also failed to encrypt their communications which gave the researchers an unprecedented view into their inner workers. Their chat logs revealed how they accessed servers, brought new devices into the botnet and evaded antivirus software.

Geost botnet and banking Trojan

Avast researcher Anna Shirakova explained how the poor choices made by the group gave the researchers a great deal of insight into their operations, saying:

“We really got an unprecedented view into how an operation like this functions. Because this group made some very poor choices in how it tried to hide its actions, we were able to see not just samples of the malware, but also delve deep into how the group works with lower level operatives bringing devices into the botnet and higher level operatives determining how much money was under their control. All told, there were over eight hundred thousand victims and the group potentially controlled millions in currency.” 

The Geost botnet appears to be a complex infrastructure of infected Android smartphones. The phones are first infected with Android APKs which resemble different fake applications including fake banking apps and fake social networks. Once an infected phone connects to the botnet, it is remotely controlled and the attackers can access and send SMS messages, communicate with banks and redirect the device's traffic to different sites. The hackers can also access a great deal of personal information from users of these infected devices.

After the infection, command and control servers store a complete list of SMS messages of all the victims beginning the moment the device became infected. These messages are processed offline in the C&C server to automatically compute the bank balance of each victim.

The Geost botnet has a complex infrastructure made up of at least 13 C&C IP addresses, over 140 domains and more than 140 APK files. The primary targets of the banking Trojan were five banks, though the majority were from Russia.

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch