Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks

Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks (Mar 5, 2020)

Researchers at TrendMicro have conducted analysis into the Android Trojan “Geost,” following the release of their 2020 Security Predictions report, highlighting the continued proliferation of mobile malware families. Geost was first identified in October 2019 targeting Russian banks, with a victim count of over 800,000 users when first detected. According to TrendMicro, “The trojan employed several layers of obfuscation, encryption, reflection, and injection of non-functional code segments that made it more difficult to reverse engineer.” The Geost botnet consists of infected Android phones, which are victimized by the botnet via fake banking and social network applications. Once infected, the phones connect to the botnet and can be remotely controlled.

Recommendation: Botnet malware takes advantage of internet-connected devices which have been misconfigured, or do not have security updates applied. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring and it is important to understand what permissions an application will request from its users because strange behavior can potentially indicate a breach or malicious activity.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.