Google's Android mobile operating system has been a favored target of ambitious cybercriminals and a common conduit for malware distribution. The attacks on it are becoming more syndicated and professionalized. A select group of 10 Russian cybercrime syndicates is molding Android SMS chargeware, the most common type of mobile phone malware, into a full-fledged business supported by a dedicated marketing team and an array of affiliate websites.
By imitating legitimate software resellers, Russian cybercriminals have been able to produce and regularly maintain a stable of sophisticated rogue apps, most of which exploit common mobile security pain points like ad networks, social media and free content distribution. Although this malware-as-a-service model is for now mostly confined to Russia, it could attract the envy of hackers across the globe as they either try to copy its profitability or directly contribute to its operations.
Mobile ad networks enable SMS chargeware – and potentially more
Cybersecurity firms began Investigating the Russian ring in December 2012, and they observed that its applications already accounted for three-fifths of all mobile malware in Russia and Eastern Europe, according to Dark Reading contributor Kelly Jackson Higgins.
Currently, the gangs' primary distribution tool is an ad platform that lures users with offers of free MP3s, popular mobile games like Angry Birds and apps like Skype. Once a user clicks on an ad, malware is downloaded to the phone and it enables hackers to begin charging and collecting premium SMS fees from a user's account. Network World's John Cox reported that some affiliates have made upward of $12,000 per month from these advanced schemes.
"They are a service provider," said Ryan Smith, senior researcher at Lookout, the mobile security firm that recently documented the Russian malware-as-a-service trend, in Higgins's article. "They create the business relationships with these resellers of short [SMS] codes and they'll handle the finances … The commoditization of this and how there's such an industry around this [demonstrates] they're building a business model."
Much of the time, affected applications may appear innocuous. Many Android games and other apps utilize push ads for monetization, and the Russian syndicate has used one of its ad networks, named BadNews, to specifically target the Google Play Store, stated CSO Online contributor Liam Tung. While costly SMS scams are the primary payload for these Android ad campaigns right now, the real issue may actually lie in the complexity of the network itself, which could ultimately make it an efficient delivery mechanism for a variety of malware.
"With the sophistication just on the Android code alone, you can see they are spending time and effort trying to add new features and obfuscation techniques, and new distribution channels and themes," Smith told Higgins. "SMS fraud is hot now, but say banking fraud turns out to be [appealing and profitable] tomorrow, maybe they shift gears and try to make their money on that."
Social media and marketing extend malware's reach, efficacy
In addition to Google Play, Russian's professional cybercriminals also rely on Twitter for circulating their seeds of ruin. Lookout's Operation Dragon Lady investigation into the gangs revealed that there were approximately 50,000 Twitter handles – one-fifth of the total observed sample – that had produced Tweets linking to sites that delivered malware akin to that served by BadNews and related networks like RUPaidmarket, according to Cox.
The perpetrators have established a complex organizational structure that, like that of a legitimate vendor, divides programming and administrative tasks. In addition to updating their ad networks and malware applications, the gangs have also publicly registered their SMS short codes in order to verify payments.
"Malware HQs handle the tough stuff like releasing new Android code and configurations every two weeks, malware hosting, shortcode registration, and marketing campaign management tools," said Smith in an excerpt reprinted by The India Times. "Like any other large business, Malware HQ organizations provide customer support, post regular newsletters, report downtime or new features, and even run regular contests to keep their affiliates engaged and motivated."
Operationally, the Russian groups resemble agile software development firms, releasing new versions every one to two weeks. Higgins noted that they also utilize advanced procedures like encryption of configuration files in order to evade detection. Their shifting tactics have helped them to continue in spite of the initial discovery last April of 32 apps, tied to four Google Play developer accounts, infected with BadNews.