Android Malware Scam Nets Millions Per Year

Criminals have created a network of infected Android devices that could be netting millions per year, researchers say

Hackers have constructed a botnet affecting hundreds of thousands of Android devices and potentially generating millions of pounds per year, according to security researchers from Symantec and North Carolina State University.

The botnet was uncovered by Xuxian Jiang of North Carolina State University, who used the name RootStrap to designate the malware involved, with further research carried out by Symantec, which calls the malware Android.Bmaster.

Chinese infections

The code is spread via third-party application marketplaces in China and is bundled with around 30 legitimate applications, Symantec said last week.

“Trojanised applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application,” said Symantec researcher Cathal Mullaney in a blog post.

The malware takes over a user’s device and generates revenues by secretly transmitting premium-rate SMS messages, connecting to premium-rate numbers and accessing pay-per-view videos, researchers said.

The botnet’s operators have such close control over compromised devices that they are also able to delete the numbers, texts and videos involved from the device’s records and block incoming messages that may alert a user to the infection, Symantec said.

“The botmaster has a fine grained level of control over the infected devices,” Mullaney wrote. “An infected device can be configured to send messages to a particular premium SMS number at a specific rate (three a day, for instance) for a certain number of days. Devices connecting to premium video or telephony services can also be configured for how long they should connect to a premium phone number or pay-per-view website.”

Privilege escalation

Once installed, the malware downloads the GingerBreak jailbreak tool and uses it to elevate its privileges on the devices, after which it downloads and installs the BMaster remote administration tool and malware including DroidLive.

The infected handset transmits data to the hackers that allows them to identify and locate the device, including IMEI and IMSI numbers, location area code and mobile network code.

Symantec said Android.Bmaster, which has been running since September 2011, represents a new wave of revenue-generating Trojans that rank on par with desktop botnets.

The company accessed the botnet’s command-and-control servers and found that the number of active, infected devices ranged from 10,000 to 30,000 per day.

“The motivation behind the botnet is financial,” Mullaney wrote. “Taking our two example dates as the lower and upper bounds of the number of active infected devices, we can see the botmaster is generating anywhere between $1,600 (£1,013) to $9,000 (£5,695) per day and $547,500 (£346,504) to $3,29m (£2.1m) per year the botnet is running.”

He said such scams are likely to constitute a growing problem for the Android platform.

“This is not the first example of an active, revenue-generating Android botnet we have seen,” he wrote. “However, considering the huge market for Android apps, the availability of third-party app stores without security checks, and the massive revenue which can be generated from this type of botnet, Android.Bmaster’s million-dollar botnet certainly won’t be the last.”