Study: Russian Cybercriminal Networks May Be Behind Android Threats


Organized cybercriminal organizations in Russia may be behind one of the most profitable threats against Android devices, according to a new study.

SMS toll fraud, which silently sends text messages to premium rate numbers, may be being led by a group of about 10 organizations that push customizable malware platforms to an army of affiliate hackers, according to San Francisco-based Lookout Mobile Security. The firm said the attacks have been highly profitable, earning some affiliates up to $12,000 per month.

"The affiliates can customize their toll fraud malware so that it looks like the latest Angry Birds game or Skype app in order to lure in a potential victim," Lookout said in its report, issued Friday at the DEFCON security conference in Las Vegas.

[Related: Mobile Malware Needs Different Security Approach, Say Researchers
]

More than 50 percent of Lookout's total malware detections in the wild for the first half of 2013 were Russian-based toll fraud, according to the report, which is called "Dragon Lady" in reference to the U2 reconnaissance aircraft used to monitor the former Soviet Union during the Cold War. The report analyzed Russian-made SMS malware over three years. The firm identified nearly 50,000 Twitter accounts used to advertise and distribute Android SMS fraud malware.

Kevin Mahaffey, founder and CTO of Lookout Mobile Security, told CRN that the vast majority of mobile threats are apps that have an adware or spyware component. They use aggressive advertising tactics and often siphon sensitive data from device owners, such as their personal information, browsing habits, location and contacts, Mahaffey said in a recent interview.

"It's a problem in almost every country that we've analyzed," Mahaffey said of adware and spyware. "It's not just developers overstepping for the sake of selling the info to advertisers, it's also potentially malicious activity that can be used in dangerous ways."

SMS Trojans follow closely behind adware and spyware and are often embedded in mobile apps that masquerade as popular mobile gaming or productivity apps, Mahaffey said. While the vast majority are spread via third-party application repositories or by the process of side-loading an app on a device, the threatening apps can sometimes find their way onto the legitimate Google Play store, Mahaffey said.

Victims often seek out free versions of popular games, according to the report. They land on what appears to be an official download page but is actually a landing page that serves up the malicious application masquerading as a popular game, Lookout found.

According to the Lookout report, the malware is becoming more complex and structured over time. Malware authors are using advanced techniques, including code obfuscation and encryption, to hide configuration files and evade detection, the report found.

Lookout detected the BadNews malware family in April, identifying more than 30 mobile apps in Google Play that connected to the Russian-based malicious distribution network, pushing the SMS toll fraud. BadNews was capable of stealing other information, including phone number and device ID, and sending it to remote command and control servers based in Russia and the Ukraine. The malicious applications were on Google Play for a short time, but Lookout said statistics showed the number of downloads in the millions.

PUBLISHED AUG. 5, 2013