The source code for a powerful Android banking malware program that steals online banking credentials has been leaked, researchers at IBM have confirmed.

A malware family that is known by several names such as Slempo, Bankosy, Acecard, MazarBot and the infamous GM Bot has had its source code leaked on an underground forum board in December 2015, security researchers at IBM have discovered.

The leaked code for the malware and its control panel is now accessible to fraudsters and malicious operators for free. Incredibly, the source code also comes with a tutorial and instructions for server-side installation. This means that the GM Bot malware is now accessible by cybercriminals who can then create new variants of the malware strain. Fundamentally, the leaked source code can be used to develop, sell and deploy the malware.

GM Bot has been sold on underground hacking forums for about $500. One purchaser then proceeded to leak the source code for free, perhaps to increase his or her reputation among the forum members. To increase one’s standing among the underground board, criminals routinely offer or give something back to the community. In this instance, the source code of a banking malware, complete with a tutorial to enable online banking fraud. The leak was made possible through an encrypted archive file that contained the GM Bot malware source code.

IBM’s blog revealed:

He [the cybercriminal who leaked the source code] indicated he would give the password to the archive only to active forum members who approached him. Those who received the password in turn passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list.

GM Bot originally emerged in late 2014 on Russian-speaking hacking forums. The malware exploits a vulnerability known as “activity hijacking,” common in older versions of Android. The vulnerability allows an overlay to be displayed over a legitimate application. The overlay essentially replicates the screen that the user routinely sees when opening a banking app. Unbeknownst to the targeted user, the banking app is in fact running underneath the malicious overlay. When the user enters his or her login credentials, the information is sent to attackers instead.

Google, for its part, has reinforced its security framework to put the brakes on activity hijacking on android versions higher than 5.0.

Image credit: Pixabay.