Security researchers describe SMS malware markets
Highly organized Russian groups have transformed mobile hacking into an industrial scale business, a kind of "malware-as-a-service," complete with marketing affiliates, distributors and customer support. Ten such criminal enterprises are responsible for more than 60 percent of all Russian malware, and millions of dollars in fraudulent SMS toll charges against end users' phone bills.
The details of the extent and sophistication of Russian malware, most of it so far targeted against Russian-speaking Android phone users, is the result of a six-month long investigation called Operation Dragon Lady by Lookout, a mobile security firm based in San Francisco. The company markets and sells security and antivirus apps to Android and iOS users and to business clients, to combat the same kind of problem uncovered by its investigation. Lookout researchers combined the results of Dragon Lady with three years of data collection on malware patterns in Russia.
Lookout researchers presented the results last weekend at the DefCon Hacking Conference in Las Vegas. The full report is now online.
Malware as a business
Together, the two data sources reveal the existence of sophisticated networks treating malware as a business. At the top are what Lookout calls "Malware Headquarters," which create do-it-yourself malware platforms, and then market and support these like any legitimate software vendor. The headquarters have an aggressive schedule to release new Android code and configurations every two weeks, handle an array of administrative chores such as malware hosting, SMS shortcode registration, and offer malware campaign management tools. They also invest in extensive customer support, issue newsletters, and alert customers to downtime and new features. According to Lookout, they even run contests to keep their customers' interest high.
The headquarters' platform code, tools, and support are bought by a growing network of entrepreneurial "malware affiliates," who then create and distribute customized malware apps. These mobile apps, destined for Android smartphones and tablets, are made to look like "the latest Angry Birds game or Skype app," according to Lookout.
In an email, a Lookout spokesperson identified BadNews, AlphaSMS, and RuFraud as "examples of malware that have been tied to the Malware HQs."
But at least one of those, BadNews, is disputed. Lookout's Mark Rogers claimed in an April 19 blog post that BadNews was a "new malware family" disguised as an ad network, and that Lookout had found it present "in 32 apps across four different developer accounts in Google Play." Lookout "notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation."
Rogers added, not surprisingly, that "All Lookout users are protected against this threat."
But six weeks later, a Google employee said that Google itself had found no evidence that BadNews was, actually, bad news. Google employee and Android team member Adrian Ludwig, speaking at a Federal Trade Commission event, "Building Security Into Modern Mobile Platforms," in Washington, D.C. in June, said Google "had not found any evidence linking BadNews to so-called SMS toll fraud' malware," according to an account of his remarks by SecurityLedger.
"We've observed the app(lication) and we've reviewed all the logs we have access to," he said in that post. "We haven't seen a single instance of abusive SMS applications being downloaded as a result of BadNews."
SecurityLedger contacted Lookout for a reaction. The vendor's founder and CTO, Kevin Mahaffey, said "We're open to all possibilities. But, having observed the behavior of this ad network at length and analyzed its code, we don't see any possibilities other than this being a malicious ad network."
Malware makers in cahoots
According to Mahaffey, Lookout analyzed the underlying code that BadNews used to serve ads to mobile devices. "That analysis revealed that BadNews was substantially similar to another malicious ad network, which Lookout calls RUPaidmarket," according to SecurityLedger. Mahaffey said, "There is substantial code re-use. That indicates that the same person that wrote the RUPaidmarket malware is working on BadNews, as well."
Mahaffey also said that the "organization behind BadNews only pushes malicious ads for short periods of time as little as five minutes a day. Intermittent scanning of the ad network might easily miss such activity, but any company that observed the network over time would catch it."
For the malware affiliates, the burgeoning social networks, coupled with lax end-user security awareness, are a key distribution channel for links to the disguised malware. During Operation Dragon Lady, Lookout reviewed 250,000 unique Twitter handles. Of those, 50,000—one in five—linked directly to toll fraud campaigns created by malware affiliates, Lookout says.
According to Lookout, SMS short codes used in these apps are publicly registered "so a company is verifying [that] they will charge for Premium SMS." When a user sends a Premium SMS text, their phone bill is charged. Lookout says it has evidence that some affiliates are making up to $12,000 per month from such toll fraud.
The victim of these schemes is "usually a Russian-speaking Android user looking for free apps, games, MP3s or pornography," according to Lookout's statement. "The victim may have been using search engine or click through links in Tweets or mobile ads, then unwittingly download the malicious app which secretly adds a premium SMS charge to their phone bill."
In a perverse way, that profile could seem like good news because it suggests the damage is limited to Android users in Russia. Yet the model being pioneered by these Malware Headquarters lends itself easily to globalization, via a kind of criminal franchising. The headquarters operations are expanding, constantly looking for new "hires" with new and emerging skills, according to Lookout, in order to manage and maximize profits.