Skip to content

GM Bot

The malware that pioneered overlay attacks on Android. Created by a Russian-speaking developer known as "GanJaman" and sold on darknet forums from 2014, GM Bot introduced the technique of displaying fake login screens over legitimate banking apps. Its source code leak in early 2016 spawned an entire ecosystem of derivative banking trojans, including BankBot, Mazar BOT, and SlemBunk.

Overview

Property Value
First Seen October 2014
Type Banking trojan (overlay-based)
Attribution "GanJaman" (Russian underground forums)
Aliases Trojan-Banker.AndroidOS.GMBot (Kaspersky), Android.Bankosy (Symantec), Acecard, MazarBOT (derivatives)

Distribution

Sold on Russian underground forums. Distributed to victims through phishing and repackaged apps. Over 200,000 infections from GM Bot-based trojans within a three-month period (Avast).

Capabilities

Capability Implementation
Overlay attacks Displayed fake login screens over 50+ banking apps
SMS interception Bypassed 2FA by intercepting incoming SMS
Device admin Requested admin privileges for persistence
Screen lock Could lock the device screen
Customizable overlays Phishing templates matched targeted banking apps

Source Code Leak

In December 2015/February 2016, a disgruntled customer of GanJaman leaked the GM Bot v1 source code. This leak had a cascading effect on the Android threat landscape:

Derivative Period Relationship
BankBot 2016-2018 Open-source banking trojan evolved from GM Bot concepts
Mazar BOT 2016 Used GM Bot code with added Tor communication
SlemBunk 2015-2016 Influenced by GM Bot overlay model
Acecard 2015-2016 Adopted GM Bot's overlay technique for 30+ banks

GanJaman released GM Bot v2 in March 2016 after the leak, but it gained limited traction due to damaged reputation.

Significance

GM Bot's overlay attack model became the standard approach for all subsequent Android banking trojans. Every major family from Anubis to TsarBot uses variations of the technique GM Bot introduced.

References