Aposemat Geost Android Botnet Research
Effective operational security is difficult to maintain due to an increase in the costs of work and a decrease in the performance of actions. This is true both for security analysts and malicious attackers. It is tedious, and errors are easy to make. This paper describes the rare discovery of a new Android banking botnet, named Geost, from the operational security failures of its botmaster. They made many mistakes, including using the illegal proxy network of the HtBot malware, not encrypting their Command and Control servers, re-using security services, trusting other attackers with less operational security, and not encrypting chat sessions. The Geost botnet has hundreds of malicious domains, thirteen IP addresses for C&C servers, approximately 800,000 victims in Russia, and potential access to several million Euros in the bank accounts of the victims. More importantly, the operational security mistakes lead to the discovery of members of an underground group that develop and maintain the C&C of Geost. It is seldom possible to glimpse into the decisions taken by the attackers due to failures in their operational security. This research presents the finding of a new Android banking botnet from operational security mistakes, creates an overview of the botnet operation, analyses the victims, and study the relationships with the discovered groups of developers.