The availability of affordable mobile Internet access has changed the computing landscape everywhere. More and more people are using mobile devices both for work and for entertainment. China is no exception. According to a report published by the China Internet Network Information Center (CNNIC), 81% of Chinese Internet users went online using their mobile phone in 2013. The CNNIC also reported that China ended 2013 with 618 million Internet users and 500 million mobile Internet users.

This change in user behavior is affecting the cybercriminal underground. Cybercriminals are now more likely to target mobile users, with some “businesses” in the cybercrime underground economy that are specifically aimed at mobile users. One particular business that has found success inside China is sending SMS spam.

Just as email has been abused by spammers for many years, mobile users are now receiving large amounts of SMS spam as well. Like their email counterparts, SMS spam is used to advertise various products as well as lead users to malicious sites. Sending these messages is cheap, too: sending 100,000 messages can cost only about $450.

One way SMS spam is sent to these users is using a GSM modem. These modems are devices which, when attached via USB to a PC, can send out text messages to multiple users in a very small amount of time. The device is controlled using an application on the PC. Basic devices will have only one SIM card, but more advanced versions (also known as a GSM modem pool) will use multiple antennas and SIM slots to send SMS messages more quickly. A 16-slot GSM modem pool (like the device below) can send up to 9,600 text messages per hour. They are available for approximately $425 each.

Figure 1. A GSM modem with 16 SIM card slots

Other tools that can be used Internet short message gateways. These are devices provided by mobile carriers to allow service providers to send large numbers of text messages. Alternately, a “SMS server” can also be used; These use a software-defined radio (SDR) to impersonate a cellular base station; when phones connect to this “base station” they instead all receive SMS spam.

Sending spam is only the tip of the iceberg when it comes to these threats. My paper titled The Mobile Cybercriminal Underground Market in China examines similar products, as well as other items for sale in the Chinese cybercriminal underground. The paper offers an overview of some of the basic underground activities in the China mobile space, as well as some of the available products, services, and their respective prices.

The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts.

Gathering knowledge about the Chinese underground economy is not particularly difficult, but does pose some challenges. The sites and markets that make up this underground economy are not visible to the public, but are hidden in forums and QQ chat groups. While many underground economies are organized via underground forums, the use of QQ chat groups is unique to China. These sites use their own jargon to name and describe their groups, but cybercriminals familiar with their jargon can easily find what they want.

In some ways, the Chinese underground is similar to other legitimate economies: it offers a wide variety of products and services at a variety of price points. The services offered include:

• Distributed Denial of Service (DDoS) kits and servers
• Remote Access Tools (RATs)
• Detection evasion services
• Compromised webhosts
• Phishing kits
• Stolen user information
• Webshells

In all of these cases, a robust and healthy ecosystem exists, with cybercriminals being able to purchase their chosen product at a variety of price points.

For example, for denial of service attacks, cybercriminals can choose to rent dedicated servers to mount more large-scale attacks. A modest Atom-based server can cost 599 RMB (US$98.50) a month; a more powerful Xeon server with a 1Gb/s connection can cost 2100 RMB (US$345) a month.

The variety of prices is most evident in the sale of webshells, scripts that allow an attacker to maintain control over a compromised site. Sites with low page rankings on Baidu and Google can cost around 220-300 RMB (US$36-49) for a bundle of 270 sites; sites with higher page ranks can go for as much as 999 RMB (US$164).

We hope that this paper will help readers understand the Chinese underground, in order to understand the kind of threats that users are likely to face from these threat actors and prepare the necessary defenses accordingly.

With Android’s steady growth in the US market and other parts of the world, it’s no surprise that the Android OS is also becoming more and more popular in China. Many users choose to use Android-based devices because of their powerful functions, various phone types, reasonable prices, and plenty of applications. A consequence of this wide-spread usage is that the Android OS is now the second-largest smartphone OS in China.

This growth of Android users in China, however, seems to do little for the rocky relationship between Google and the Chinese government. It has been reported that access to the Google Android Market has been intermittent since 2009 (Access to the Android Market was last reported blocked in October, but was unblocked again three days after).

Read the rest of this entry »

Trend Micro uncovered how cybercriminals may profit from NICKISPY variants. A Chinese website offers mobile phone monitoring tools and services to customers who are given access to the site’s backend to retrieve information. However, such services are not cheap and can cost from US$300–540.

We’ve been reporting about several NICKISPY variants—Android malware that can monitor a mobile phone user’s activities and whereabouts like SMS, phone calls, and location—here on the Malware Blog and we’ve been curious as to how cybercriminals use private information and earn money from stealing it.

Now, we have a clear example. We found a Chinese website that offers a mobile phone monitoring service. Once a customer decides to employ the service, he/she gets an account to log in to a backend server of the service, from which information gathered from a target device can be viewed.

The backend service can be accessed through a portal where the user must first send an MMS that includes malware as an attachment to a victim’s mobile phone number. The malware, once installed on the victim’s mobile phone, will be used to monitor information related to SMS, phone calls, device location, and email messages. Reports are then sent back to the backend service, which can then be accessed by the customer through the portal.

Here is the configuration page of the backend server’s portal:

The Remote Receiver Phone Number filed is the phone number that will receive the reports sent by the service, which contains new activity information from the monitored phone. Note that the customer may choose which number will be displayed as the sender of the MMS. Using a number that the victim is familiar with may convince him/her that he/she is receiving a normal MMS and be completely unaware that a malware was already installed in his/her device.

Read the rest of this entry »

We recently found an Android malware that comes off as a variety of applications in a China-based third-party app store.

The samples we were able to acquire came in the guise of a love test app, an e-book reader, or a location tracker. It is immediately noticeable that the said apps do more than these are supposed to based on the permissions these seek.

This particular Android malware detected as ANDROIDOS_LUVRTAP.B automatically executes once an infected Android device is rebooted.

Read the rest of this entry »