Malware is becoming increasingly economical to develop and deploy, and nowhere is this clearer than in China, where gangs have been quick to adapt their strategies in response to changes in mobile technology and user behavior. A recent Trend Micro report on the Chinese mobile underground highlighted how cybercriminals are exploiting the most basic and frequently used features of smartphones – messaging services (both SMS and OTT), address books and app stores – to defraud users of money and overwhelm them with spam.
Still, the concentration of mobile malware in China shouldn't blind the cybersecurity community to the fact that threats originate all over the globe. Keeping everyone safe is a complex exercise involving end-user steps such as utilizing security solutions and following best practices, as well as higher level moves by carriers, software developers, distributors and governments. Their collective anti-malware efforts must take into account the particular vulnerabilities of platforms such as Android, along with the ongoing shift from desktops to smartphones and tablets and the rise of lucrative schemes such as premium number services and malicious mobile ads.
Rise of China's cybercriminal underground underscores need for tighter cybersecurity
Smartphone applications and the mobile Web are gobbling a larger share of users' attention, and both legitimate and malicious parties have taken note. eMarketer estimated that the smartphone audience for advertisements would reach 1.75 billion in 2014, at around the same time that overall mobile Internet usage is expected to surpass desktop activity. By 2015, searches on handhelds could outnumber ones performed on PCs.
These numbers have already spurred advertisers and social networks to alter their strategies for driving user engagement and making money. For example, Facebook opened up custom audience capabilities to companies running mobile campaigns, and it continues to work on ads that are targeted to what a user is doing within a particular app.
Unsurprisingly, cybercriminals the world over have also been on the cutting-edge of monetizing mobile Internet usage, except that they use subversive tactics to hijack applications and services and steer users into danger. The Trend Micro report, which follows up a similar document about the cybercriminal underground in Russia, points out how attackers in China and elsewhere have taken advantage of the falling costs of doing illicit business.
"The barriers to launching cyber-criminal operations [are less] in number than ever [before]," stated the report on China. "Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries."
So what are China's gangs specializing in? Much of their focus is on launching spam campaigns and mining data from messaging services so that they can take advantage of changing online activity patterns. China's Internet users are highly mobile, with more than 80 percent of them (or 405 million individuals) having accessed the Web from their phones in 2013, so it makes sense that cybercriminals would target this growing population.
Digging into the spam and chargeware schemes of China's underground
Some of the specific tactics that underground attackers have been using in China include:
- Apple iMessage spamming services
- SMS forwarders and spammers
- Premium service numbers
- App store ranking boosters
All of these attack vectors target large, vulnerable populations, plus they're relatively inexpensive to pursue. For example, the software needed to conduct an iMessage spam campaign costs less than $5,000, and 1,000 text messages can be sent for only $16 (the same quantity of multimedia messages would run approximately $82). Similarly, 16-slot GSM modems are popular tools for SMS spam, capable of sending more than 9,000 messages per hour, yet one only costs $430.
With such low material barriers to entry, it's no surprise that text and multimedia spam have become so lucrative. On top of that, SMS is still an important service for verification and authentication, making it a big target for manipulation. Some carriers, as well as many Web service providers, send two-factor authentication codes via SMS text so that users can securely reset their passwords.
In China, the problem with this practice stems from the rise of Android SMS forwarders, which are Trojans that listen for SMS transmission sent to users by banks or websites and then intercept them. After doing so, cybercriminals can use the codes to take over accounts and change passwords. Source code for an SMS forwarder may cost as little as $500, and the app itself uses a hidden icon and silently deletes verification SMS texts.
This combination of furtiveness and economy is typical of China's cybercriminal underground. Consider the case of services that boost app store rankings. Unlike the U.S., where most Android apps are downloaded and managed through the official Google Play Store, China's mobile market is dominated by third-party stores that don't always scan software for viruses.
Their general lack of cybersecurity opens the doors for attackers who may manipulate an app's star rating and usage figures to entice more people to download it. For only $106, cybercriminals could set up enough passable dummy accounts to give an app 180,000 additional "users," raising its profile and increasing the reach of any malware campaign with which it was involved.
What users can do to stay safe
The problem with China's mobile underground may not be readily fixable without input from the country's software vendors and telecommunications providers. Still, users everywhere can take steps to look out for suspicious app stores and pay attention to the permissions that different types of software request. Where applicable, blocking all downloads from non-official stores is also advisable. Moreover, the cybersecurity community has an obligation to guide users toward these best practices.
"As part of the security industry, we must pay attention to developments in the mobile underground," the Trend Micro report concluded. "And we should exert effort to educate mobile users on the risks they face and help them improve their security posture so they can protect not just their mobile devices but also the information stored in them."