Introduction

Slempo/GM-Bot requires little introduction, as it has been the focal point of many recent publications, and is a well known threat in the world of mobile malware.

In most cases Slempo/GM-bot presents itself as “Adobe Flash Player Update”, this disguise is very popular in the mobile malware sphere, and used in order to trick the user into granting the malicious application administrator privileges.

Upon the user’s acceptance the malware is installed on the device and is capable of controlling it. Among the malware’s many functionalities are:

  • Intercept, redirect and block SMS messages and calls
  • Lock and unlock the device
  • Wipe the device
  • Display it’s own content over legitimate applications
  • Send stolen user credentials (obtained by displaying fake content) back to the Command & Control server.

After completing initial installation, the malware will contact its Command & Control server, send it a list of all applications installed on the device and various other device information, and will download a configuration file which it will save locally on the device at the following path: /data/data/%App_Name%/shared_prefs/AppPrefs.xml

This configuration file contains the applications that the malware targets for credential harvesting, and the fraudulent content that performs that harvesting.

 

applist

Fig. 1 – Device data and installed applications sent to C&C server.

 

Encoded Configuration & Fraudulent Activity

The encoded configuration file which is downloaded from the Command & Control server contains the targeted application names and content to be displayed to the victim upon activation of a targeted application, as can be seen below:

 

encoded

Fig. 2 – A snippet of the encoded configuration file

 

decoded

Fig. 3 – Decoded configuration snippet showing fraudulent HTML content to be displayed on top of the targeted application and harvest user’s credentials.

 

When the malware detects activation of a targeted application, the fraudulent content contained in the configuration file is displayed to the victim on-top of the targeted application:

 

fake

Fig. 4 – Fraudulent content displayed on top of legitimate application.

 

After entering his credentials into what the victim perceives to be the legitimate application, the malware then sends the credentials to its C&C server, as seen below:

 

post2

Fig. 5: Victim’s credentials are sent to the C&C server.

 

Targets

Slempo targets many various financial and non-financial applications worldwide, as can be seen in the chart below:

target-chart

Fig. 5: Slempo Target Distribution.

NOTE: Applications which are not region or country specific are categorized as “Other”.

Known Slempo/GM-bot Sample MD5s:

  • 288ad03cc9788c0855d446e34c7284ea
  • e740233e0a72be4db2dcd5d5b7975fa0
  • 3ef8e4ea08e9eff6db3c9ebf247a97b5
  • 45e66a89db86309673d33b1aa4047fd1
  • a5387f3487c0749394def743a7345c47
  • f90cded5ec2a6c29b636945af85e3069

 

Mitigation

To learn more about F5 fraud protection and how F5 can mitigate threats such as Slempo, please read the MobileSafe datasheet as well as the WebSafe datasheet.