Malware-as-a-Service Blossoms in Russia, Vendor Research Finds
An investigation by mobile security vendor Lookout warns that malware is being transformed into a large-scale, sophisticated software business, complete with customer support. The main target: fraudulent SMS charges costing endusers and operators millions each year.
Mon, August 05, 2013
Network World — Highly organized Russian groups have transformed mobile hacking into an industrial scale business, a kind of "malware-as-a-service," complete with marketing affiliates, distributors and customer support. Ten such criminal enterprises are responsible for more than 60% of all Russian malware, and millions of dollars in fraudulent SMS toll charges against end users' phone bills.
The details of the extent and sophistication of Russian malware, most of it so far targeted against Russian-speaking Android phone users, is the result of a six-month long investigation called Operation Dragon Lady by Lookout, a mobile security firm based in San Francisco. The company markets and sells security and antivirus apps to Android and iOS users and to business clients, to combat the same kind of problem uncovered by its investigation.A Lookout researchers combined the results of Dragon Lady with three years of data collection on malware patterns in Russia.
Lookout researchers presented the results over the weekend at the DefCon Hacking Conference in Las Vegas. The full report is now online.
Follow our ongoing DefCon 2013 coverage:Android one-click Google authentication method puts users, businesses at risk
Together, the two data sources reveal the existence of sophisticated networks treating malware as a business. At the top are what Lookout calls "Malware Headquarters," which create do-it-yourself malware platforms, and then market and support these like any legitimate software vendor. The headquarters have an aggressive schedule to release new Android code and configurations every two weeks, handle an array of administrative chores such as malware hosting, SMS shortcode registration, and offer malware campaign management tools. They also invest in extensive customer support, issue newsletters, and alert customers to downtime and new features. According to Lookout, they even run contests to keep their customers' interest high.
The headquarters' platform code, tools, and support are bought by a growing network of entrepreneurial "malware affiliates," who then create and distribute customized malware apps. These mobile apps, destined for Android smartphones and tablets, are made to look like "the latest Angry Birds game or Skype app," according to Lookout.
In an email, a Lookout spokesman identified BadNews, AlphaSMS and RuFraud as "examples of malware that have been tied to the Malware HQs."
But at least one of those, BadNews, is disputed. Lookout's Mark Rogers claimed in an April 19 blog post that BadNews was a "new malware family" disguised as an ad network, and that Lookout had found it present "in 32 apps across four different developer accounts in Google Play." Lookout "notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation."