Russian mobile malware factories working with thousands of affiliates to exploit Android users
Almost a third of all mobile malware is made by just 10 organisations operating out of Russia, a security company has claimed.
These “malware HQs” are pumping out nasty toll fraud apps, largely aimed at Android users, which force the user to call premium rate numbers, said Lookout Mobile Security.
It followed the money all the way back to these ten organisations, discovering thousands of affiliate marketers are also profiting from the scheme, helping spread the malware by setting up websites designed to trick users into downloading seemingly legitimate apps.
These affiliates, who can make up to $12,000 a month, are heavy users of Twitter too. Lookout looked at 500,000 unique Twitter handles it believed were involved in spreading mobile malware, 247,863 of which were linking directly to malicious kit from the micro-blogging platform.
Mobile malware crackdown
“We are not too fond of their activity,” co-founder and CTO of Lookout, Kevin Mahaffey, told TechWeekEurope earlier this week, ahead of the report’s release at the DEF CON 21 conference in Las Vegas.
“We cannot comment on ongoing investigations with law enforcement. But we are very motivated to get them to stop.”
Ryan Smith, senior security engineer at Lookout, said the malware HQs had gone to great lengths to obfuscate and encrypt their code to make detection tricky. Yet many advertise in the most brazen of ways on the public Internet, as seen in the images below:
These malware factories pump out the tools that let the affiliates create custom malware to their liking, meaning they don’t require much technical nous. The main skill they require is web development and a knack for phishing, creating pages that look like the Google Play market itself, or ones that link to updates for popular software, like Skype or Opera:
The next step is to organise massive advertising campaigns over Twitter, getting users to download the app, which starts sending texts without the users’ permission to premium rate numbers. The affiliates take the money, some of which gets invested into more malware.
Whilst Lookout isn’t divulging the names or whereabouts of the original malware sellers, other than saying they’re based in Russia, it continues to monitor the operation, which it has called Dragon Lady. “We have cast a wider net around these organisations,” Smith added. “We are monitoring domains used by the affiliates and malware HQs.”
What do you know about Internet security? Find out with our quiz!