The lifecycle of an Android banking botnet typically consists of two stages: rise and fall. During the rising phase, the malware author promotes their new code and rents it underground—MaaS (Malware as a Service). As the botnet gains popularity, it evolves with new features and pricing. At some point, though, an issue occurs, triggering its fall. For example, the author gets caught (e.g Anubis) or its source code gets released on underground forums (either willingly by the authors themselves, by a competitor, or perhaps an unhappy customer). As a result, the botnet gradually dies. And unfortunately, others pop up on the market to take its place.
As malware analysts, the Android/Marcher, Locker, and Anubis malware we used to see have been replaced by BianLian, Cerberos, and Flubot (and still Anubis). A year ago, threat actor(s) started advertising a newcomer, the Huracan botnet. We haven’t seen it in the wild yet—or if we have, we haven’t recognized it (it’s not always obvious to match underground names with the samples we analyze).
Since the beginning of 2022, there are even more newcomers. I have spotted at least two future banking botnets: GRIM and Magnus. You should be keep an eye on those two, as they will probably emerge in the wild in the next few months.
The Magnus Botnet has been repeatedly advertised underground by a threat actor named whit3_d3vil since February 2022. It is unclear whether whi3_d3vil is the author or just a reseller. The botnet implements all the typical features that banking trojans currently have: overlay injection over mobile banking applications, sending SMS, SMS interception, 2FA bypass, remote administration via VNC, etc. And unlike BianLian, communication with C2s is encrypted using AES.
The botnet can be rented for 1,000 USD per month.
Should we be amused or anxious that malware are being sold like boxes of cookies on the web? There are even sales (prices marked down from 1,600 USD to 1,000 USD), watermarked screenshots (against competitors?), and videos demonstrating the product!
The Grim botnet is less expensive: only 500 USD/month. It is being advertised on a specialized Telegram channel. It implements more or less the same features as the Magnus bot. Prices for underground botnet packages are freely fixed by the authors/resellers. They don’t necessarily match features. A lower price for Grimbot can mean the malware has less notoriety, for instance, rather than fewer features.
If you are a malware analyst, be on the lookout for a new banking botnet whose communication with its C2 is encrypted with AES (Magnus) or a botnet with tags such as “grim” that poses as a “Security” application.
Fortunately, if you are protected by Fortiguard Antivirus (e.g. FortiGate, FortiClient, FortiMail, FortiWeb, FortiProxy), you are automatically protected against many Android banking trojans.
However, there are a few other precautions you should take:
Fortinet products detect malware discussed in this blog: