GM Bot

GM Bot is a banking Trojan that typically targets Android mobile devices. GM Bot was observed selling on underground hacker forums for $5,000 in October 2014. Other malicious developers purchased the Trojan and were able to create their own variants of the GM Bot, which quickly established itself as one of the most sophisticated Android malware threats. One of the hackers who was renting the Trojan eventually leaked the source code, leading the original author to develop and release GM Bot v2 in early 2016, charging $15,000 for the malware and exploits with a monthly fee of $2,000. The developer claims they will add new features to the Trojan’s capabilities, including plans to work through Tor connections. In March, FireEye confirmed similarities between GM Bot and the SlemBunk mobile Trojan indicating the two share a common origin, along with several other prominent mobile malware variants, including the first known file-encrypting ransomware for Android – Simplelocker


  • October 2016: A new variant of GM Bot can exploit the security features of devices running any version of Android up to the latest distribution of the Android 6.0 Marshmallow operating system. (SecurityIntelligence)

  • October 2016: GM Bot has evolved to target more than 50 banks worldwide. (Avast)

  • March 2016: FireEye confirmed similarities between GM Bot and the SlemBunk mobile Trojan. (FireEye)

  • February 2016: GM Bot contains similarities with other Android banking malware, such as SlemBunk, Bankosy, Mazar BOT, and AceCard. (IBM)

Technical Details

  • FireEye provides technical analysis of GM Bot v2, available here.

One example of the GM Bot infrastructure. Image Source: FireEye