Highly organized Russian groups have transformed mobile hacking into an industrial scale business, a kind of "malware-as-a-service," complete with marketing affiliates, distributors and customer support. Ten such criminal enterprises are responsible for more than 60% of all Russian malware, and millions of dollars in fraudulent SMS toll charges against end users' phone bills.
The details of the extent and sophistication of Russian malware, most of it so far targeted against Russian-speaking Android phone users, is the result of a six-month long investigation called Operation Dragon Lady by Lookout, a mobile security firm based in San Francisco. The company markets and sells security and antivirus apps to Android and iOS users and to business clients, to combat the same kind of problem uncovered by its investigation. Lookout researchers combined the results of Dragon Lady with three years of data collection on malware patterns in Russia.
Lookout researchers presented the results over the weekend at the DefCon Hacking Conference in Las Vegas. The full report is now online.
Together, the two data sources reveal the existence of sophisticated networks treating malware as a business. At the top are what Lookout calls "Malware Headquarters," which create do-it-yourself malware platforms, and then market and support these like any legitimate software vendor. The headquarters have an aggressive schedule to release new Android code and configurations every two weeks, handle an array of administrative chores such as malware hosting, SMS shortcode registration, and offer malware campaign management tools. They also invest in extensive customer support, issue newsletters, and alert customers to downtime and new features. According to Lookout, they even run contests to keep their customers' interest high.
The headquarters' platform code, tools, and support are bought by a growing network of entrepreneurial "malware affiliates," who then create and distribute customized malware apps. These mobile apps, destined for Android smartphones and tablets, are made to look like "the latest Angry Birds game or Skype app," according to Lookout.
In an email, a Lookout spokesman identified BadNews, AlphaSMS and RuFraud as "examples of malware that have been tied to the Malware HQs."
But at least one of those, BadNews, is disputed. Lookout's Mark Rogers claimed in an April 19 blog post that BadNews was a "new malware family" disguised as an ad network, and that Lookout had found it present "in 32 apps across four different developer accounts in Google Play." Lookout "notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation."
Rogers added, not surprisingly, that "All Lookout users are protected against this threat."
But six weeks later, a Google employee said that Google itself had found no evidence that BadNews was, actually, bad news. Google employee and Android team member Adrian Ludwig, speaking at a Federal Trade Commission event, "Building Security Into Modern Mobile Platforms," in Washington, D.C. in June, said Google "had not found any evidence linking BadNews to so-called SMS toll fraud' malware," according to an account of his remarks by SecurityLedger.
Sign up for CIO Asia eNewsletters.