Hand of Thief (HoT) Moves its Way to Android

A relatively new commercial mobile bot, Hands of Thief (HoT) for Android, which targets users of online banking has been circulating the underground forums for the past three months. As its owner claims, this bot variant is “better than Perkele” – the notorious Android malware kit used to bypass multi-factor authentication.

HoT originally made some waves this past August as the (not too mature) Linux-targeting banking Trojan.  It looks like the owner has now decided to expand the business to the more lucrative and pervasive mobile platform.

The seller is currently advertising the Android-version HoT in a Russian underground forum. For a mere $950, the seller purports a bot with SMS forwarding capabilities. In particular, the bot is marketed as intercepting mTANs – part of a two factor authentication mechanism commonly used by banks. Ultimately, this would allow the attacker to perform a banking transaction on behalf of, and unknowingly by, the infected victim.

Hand of Thief (Android), as advertised in a Russian underground forumRunning through the Google Translator, an extract of the ad reads as follows (note: Google inconsistently translates “bot” as “Boat”):

We are pleased to offer you a bot to intercept sending SMS to the mobile operating system Android.

Buying this product , you are helping in the development of this forum , because part of the money from the sale goes to fund the forum !

Boat :

Description:

Boat to intercept sending SMS to the mobile operating system Android.

Boat runs on all version of the OS * Android, has strong encryption for communication with the control panel (256 bit),

works hidden from the user ( has mechanisms Anti- Detection )

has a hidden autostart does not require privileges root ( right in the system does not increase ) .

functionality:

1) SMS Interception :

1.1) with a specific number ;

1.2) on the part of the text of the message;

1.3) to intercept all messages ;

1.4) hidden from the user message when the interception ;

1.5) to show messages to the user when the interception ;

2) Sending SMS to a specific number ( SMS not visible in the list sent );

3) Startup ;

4 ) No application icons in the phone menu (optional ); **

5) AntiPesochnitsa Virtual Machine ;

A forum contributor who claims to have experience using HoT for Android further provides their two cents on infecting users with the malware. All techniques heavily rely on social engineering. One such way prompts the users to install a so-called certificate belonging to the bank. The certificate is actually provided with the malware, as shown in the screenshot below. In order to make the certificate message appear more credible, it prompts users to provide their device types (Android, iPhone, Blackberry or other) – even though the malware is specific to Android.

A forum user describes how to infect the user

That same forum participant goes on to say that the best way to infect the user is by placing the malware on Google Play.

Even the forum’s moderator has gone the lengths to validate the authenticity of the seller’s ad. Below the original ad, the moderator included his own vouching that the bot does in fact perform what the ad claims it does:

The forum owner vouches for the product

Another forum contributor has even taken the time to write up a short review stating that the Android HoT is superior to other existing mobile SMS forwarders and is very useful in online banking scenarios.

A positive review by a happy purchaser

Of course, it could be that the forum moderator and the reviewers are actually acting on behalf of the seller. Such is the possibility for all wares advertised in underground forums. Knowing that that Linux version of HoT has its limitations, it’ll be interesting to see whether the seller will be able to actually deliver on its promises and whether this mobile malware will catch on. We’ll be sure to update you on any new developments.