Money Doesn't Stink - Cybercriminal Business Insight of A New Android Botnet

Presented at Black Hat Europe 2019, Dec. 4, 2019, 11 a.m. (50 minutes)

In mid 2018, we discovered one of the largest reported Android banking botnets known to date, that we named Geost. It was discovered when we saw one of their botmasters logging in into one of their C&C servers while using the insecure proxy network created by the HtBot malware. Computers infected with HtBot create an illegal network of proxies that are sold to customers, and our laboratory had one HtBot instance capturing the traffic. Geost resulted to be a new and very large Android Banking botnet operation targeting Russian citizens with almost 1 million victims, 15 C&C servers, thousands of domains, and thousands of malicious APK applications. This research starts with an analysis of all the OpSec failures that resulted in the discovery of Geost. Thought a treat intelligence process, we were able to know the Geost infrastructure, find domains and APKs related to it. Geost accesses all the SMS data of victims and has a direct connection to the systems of five large European banks. The operation of the botnet also includes traffic redirection and selling, data harvesting and access to premium SMS services. During the analysis, there was a breakthrough when we found a chat log of a cybercriminal entrepreneur group related to the Geost operation. This log exposed 28 people doing business for 8 months, discussing numerous projects and activities of the underground market and giving us a unique insight into how the business operation worked: the human relationships between the cybercriminals, daily routine tasks, motivational issues, money laundering, the decisions taken, and obstacles found. The criminal projects ranged from pay per install, phishing website hosting, and C&C development to malicious APKs and fake games development. This presentation shows the inner relationships of a blackmarket underground attacking group, their daily survival problems, decisions, money and struggles to make a living from malicious activities. How the hierarchy of malware development worked in the Geost botnet operation and the impact on the security of the victims. This work is unique because it shows the attackers communications in a private group and reveals a portion of how the underground cybercriminal business operates in relation with technical details of the malware. For them, operating a botnet was just one more job, and they showed no regrets or concerns about where the money is coming from, nor recognition that they were attacking others. At the end of the day, for them, the money didn't stink.


  • María José Erquiaga - Researcher, UNCUYO University
    María José Erquiaga is a malware researcher from Argentina. She is researcher and teacher at the University of Cuyo, Mendoza Argentina. She is collaborator on the Stratosphere laboratory since 2015. She is a member of the Aposemat project, a joint project between the Stratosphere laboratory and Avast. This project aims to execute malware and capture it from honeypots. Marias work has been focused on execute and analyze malware for IoT devices.
  • Sebastián García - Researcher, Czech Technical University in Prague
    Sebastián García is a network malware researcher and Assistant Professor that has extensive experience in machine learning applied to network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect the civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCon, Free Software Foundation Europe, VirusBulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.
  • Anna Shirokova - Researcher, Avast Software
    Anna Shirokova is a security researcher from Russia, currently based in Prague, Czech Republic. She joined Avast's IoT research where she focuses on the IoT threat landscape. She is also a collaborator at Stratosphere IPS Aposemat project. This is a joint project with Avast to create, publish and analyze malware attacks on IoT devices. Anna also has been a speaker on several conferences including Botconf, BruCON, and Troopers.


Similar Presentations: