Almost a third of all mobile malware is made by just 10 organisations operating out of Russia, a security company has claimed.
These “malware HQs” are pumping out nasty toll fraud apps, largely aimed at Android users, which force the user to call premium rate numbers, said Lookout Mobile Security.
It followed the money all the way back to these ten organisations, discovering thousands of affiliate marketers are also profiting from the scheme, helping spread the malware by setting up websites designed to trick users into downloading seemingly legitimate apps.
These affiliates, who can make up to $12,000 a month, are heavy users of Twitter too. Lookout looked at 500,000 unique Twitter handles it believed were involved in spreading mobile malware, 247,863 of which were linking directly to malicious kit from the micro-blogging platform.
“We are not too fond of their activity,” co-founder and CTO of Lookout, Kevin Mahaffey, told TechWeekEurope earlier this week, ahead of the report’s release at the DEF CON 21 conference in Las Vegas.
“We cannot comment on ongoing investigations with law enforcement. But we are very motivated to get them to stop.”
Ryan Smith, senior security engineer at Lookout, said the malware HQs had gone to great lengths to obfuscate and encrypt their code to make detection tricky. Yet many advertise in the most brazen of ways on the public Internet, as seen in the images below:
These malware factories pump out the tools that let the affiliates create custom malware to their liking, meaning they don’t require much technical nous. The main skill they require is web development and a knack for phishing, creating pages that look like the Google Play market itself, or ones that link to updates for popular software, like Skype or Opera:
The next step is to organise massive advertising campaigns over Twitter, getting users to download the app, which starts sending texts without the users’ permission to premium rate numbers. The affiliates take the money, some of which gets invested into more malware.
Whilst Lookout isn’t divulging the names or whereabouts of the original malware sellers, other than saying they’re based in Russia, it continues to monitor the operation, which it has called Dragon Lady. “We have cast a wider net around these organisations,” Smith added. “We are monitoring domains used by the affiliates and malware HQs.”
What do you know about Internet security? Find out with our quiz!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…