Dragon Lady: An Investigation Into the Industry Behind the Majority of Russian-Made Malware

Today at DEF CON 21, we presented an in-depth investigation of Russian SMS fraud code-named “Dragon Lady,” referencing U2 reconnaissance aircrafts that were used during the Cold War to monitor the Soviet Union. Starting in December 2012, this investigation brought together vast amounts of data from multiple channels to uncover a pervasive and organized cottage industry built around the distribution of Android premium SMS fraud. We’ve enumerated ten “Malware Headquarters” accounting for over 60 percent of the Russian malware Lookout has observed in the wild.
We discovered several distribution channels through sources such as Twitter, then followed a digital path back from those distribution channels to identify several ‘start-up like’ organizations. These Malware Headquarters (Malware HQs), handle business logistics, management of SMS shortcodes and offer an easily configurable Android SMS fraud malware platform. Affiliate marketers then customize the malware apps and distribute them through channels like Twitter to drive mobile users to fraudulent affiliate websites. Unwitting victims are tricked into downloading malicious apps that charge a fee through toll fraud. We’ve seen evidence that these affiliate marketers have earned between $700/month to $12,000/month from these scams, and estimate that there are thousands of individual distributors and potentially tens of thousands of affiliate websites promoting these custom SMS malware in the same manner as traditional affiliate web marketers. Many of the malware organizations, affiliates and campaigns remain live, however all Lookout users are protected from known threats.

Key Findings

• Organized groups of Android malware authors are operating like startups: tapping multiple individuals or organizations for specialization in different business areas, leveraging online tools for promotion and developing affiliate programs. At least one Russian malware “startup” has been discovered earning tens of thousands of dollars per month and operating thousands of websites through their affiliates.
• Many of the malware families have regular code release cycles every few weeks similar to agile software development organizations.
• Twitter is a major tool for distribution by these affiliates. They are using Twitter as a vehicle to distribute tens of thousands of links to malicious apps in an effort to leverage the social media platform to drive more traffic to their download pages. While promoting malware is nothing new, this demonstrates how rapidly they are adjusting to mobile and experimenting with new media formats for campaigns.
• The organizations offer “Easy-Bake” Android SMS fraud malware where affiliates can configure their options, and the code is compiled automatically each time a victim downloads it. The link is attached to a unique piece of malware that the affiliates can then distribute as they see fit in an effort to maximize download numbers. This process makes it very simple for anyone to execute a malware campaign.
• Russian malware affiliates are experimenting with various distribution tactics, which range from straight-up distribution of malware links, to more “grey-area” borderline ad networks that distribute bad stuff. We’ve witnessed Android advertising libraries as alternative distribution channels for malware campaigns. Specifically, our discovery of BadNews in April was an example of a malicious advertising library which was primarily used to send victims links to sms toll-fraud malware.
• The malware authors are employing several malware anti-detection techniques in their distribution points as well as their code. Although most of these evasion techniques are basic individually, when combined, the distribution points and code are more challenging to track the new versions of the malware.

The Malware HQ: An Organized Operation

Lookout followed the trail of Russian SMS fraud malware back to several well organized distribution hubs which we’re calling a Malware HQ. We enumerated ten Malware HQs accounting for over 60 percent of the Russian malware Lookout has observed in the wild. These organizations handle many of the logistics and business services required to manage an SMS fraud campaign, then offer these pre-packaged services to “affiliates” who can focus on running campaigns and driving additional traffic without needing to handle the low-level technical and business requirements. These Malware HQs entice new affiliates with a common message: “We’ll make it easy for you to _monetize_ your mobile web traffic” Of course this _monetization_ is accomplished by the predatory practice or promising victims a useful Android application under false pretenses and instead covertly charging them through premium SMS messages. Below are examples of the websites operated by the Malware HQs.


[Caption: Websites operated by Malware HQs that demonstrate how easy it is to make your own malware.]
Some of the services offered by Malware HQs are:

• Development and maintenance of the Android SMS fraud apps
  • On average new code updates are released every 1-2 weeks
  • Many of the Malware HQ use multiple levels of code and data obfuscation techniques to avoid detection
• Registration of SMS short codes and dissemination of resulting funds
  • Each of the Malware HQ organizations have up to 100 individual short codes, which target users in a specific set of countries.
  • Most Malware HQs include these SMS short codes in encrypted or encoded configuration files which are regularly updated along with the code and are included in the latest release.

Below are examples of gamification of affiliate earnings managed by a Malware HQ.

• Affiliate marketing programs
  • Gamification of earnings and contests for the biggest winners
  • Affiliate communications including newsletters and regular blog posts about new features

Below is a newsletter by Malware HQ with posts about a competition, maintenance and payout schedule:

Easy Bake Malware: Customized SMS Fraud

The core function of a Malware HQ is to provide affiliates with a custom-built Android application which will charge victims through premium SMS messages and funnel the resulting funds back into the affiliate’s payment account. Although some Malware HQs have a few special features, all of them follow the same basic recipe. A simple step-by-step guide takes even the most novice of affiliates through the process of creating customized Android SMS fraud applications. Affiliates can either create a custom template or choose a pre-packaged templates, often portraying popular apps such as Google Play, Adobe Flash, Skype, games like Bad Piggies, MP3s, or pornography. The templates are highly configurable, allowing the affiliates to change the application’s title, icon, look and feel, and even how much the victims will be charged. Affiliates then use this tracking system to monitor the number of “impressions” and “conversions” for a particular campaign, allowing the more advanced affiliates to optimize and iterate campaigns.
6 Step Process to Easy-Bake Malware from one Malware HQ:
Step 1: Create your campaign

Step 2: Choose your target operating systems

Step 3: Select your mobile template with extra details including conversion rate

Step 4: Code to copy and paste into your website to redirect your visitors to download pages

Malvertising: Affiliates & Distribution

A significant amount of money and effort is invested in affiliate campaign management and distribution. We discovered at least one affiliate investing $1k-$2k in operating expenses over three months, and claiming $12,000 in profit. Based on the investigation of the sites involved, we estimate that there are thousands of marketing affiliates and potentially tens of thousands of affiliate websites involved in promoting these pieces of malware.
Similar to traditional marketing campaigns, a greater volume of web traffic and more intuitive process will lead to higher conversion. Once an affiliate has created their customized SMS fraud application at Malware HQ, their goal is to entice mobile users to visit the campaign, hosted on a mobile web page and install the malicious application. Affiliates are experimenting with the latest marketing techniques, like social media and mobile ads. The tactics for driving traffic include:

• Destination Landing Pages: Affiliates are responsible for creating their own destination landing pages that redirect users to download the malicious app hosted by the HQ. These landing pages are often designed to be enticing to mobile users, advertising popular downloads such as Angry Birds, Skype, Opera, or Flash updates.

Below are samples of affiliate landing pages.

• Twitter: Twitter is a primary distribution channel for malware affiliates because search engines assign a high value to indexed tweets which means higher ranking in the search results. When searchers seek out free songs, apps or porn, a high search ranking promotes the affiliate content. Lookout combed through 247,863 unique twitter handles and over a million tweets. Nearly 50,000 of the unique handles and nearly 25 percent of all tweets identified were confirmed linking to malware. While many of the accounts were still active, Twitter’s security team appeared disable accounts which they identified as malicious.  We reported the remaining malicious accounts, their behavior, and our findings to Twitter in May 2013.

[Caption: Malvertising by an affiliate that links to landing pages that host malicious apps]

• Mobile Ad Networks: Lookout recently reported on a new malware, BadNews, which was found to be a new technique to drive mobile traffic to SMS fraud campaigns. BadNews was designed to look like an advertising library in legitimate Android applications, but the advertisements that it displayed linked directly to SMS fraud malware hosted by top HQs.

[Caption: The blurred URL in this string of code—sampled from BadNews—links to a landing page promoting malware hosted by a Malware HQ]

Victims of SMS Fraud

The typical victim of this malware scheme is a Russian speaker searching for popular applications such as Skype or for free porn, videos, pictures and MP3s. The landing pages that the affiliates build are tuned to filter out any visitors from outside their targeted countries, or are not coming from a mobile device. A victim might search for a free version of “Bad Piggies” and stumble on a website that looks like an official Russian download page, but is actually a specially crafted affiliate landing page. When a victim clicks to download what they believe to be the Bad Piggies app, they will be charged a fee via premium SMS messages without their consent. There are often terms of service (TOS) included in the app when the user downloads, but they are not well presented to the users. Often, the TOS is intentionally buried or hidden from sight, such as white text on a white background or forcing the user to scroll down for two minutes before the TOS appears. To add insult to injury, even after being charged by the malicious application, they’re only provided a link where they may be able to download the actual (free!) application they were looking for originally.

Anti-Detection Techniques

Both the affiliates and the Malware HQ organizations are sensitive to the fact that anti-virus companies and network operators are constantly observing their operations in attempt to curb their success. In fact, we know they specifically attempt to evade Lookout:

To avoid detection and maximize their success they use several layers of common evasion techniques, including:

• Android SMS Malware Obfuscation
  • Code Obfuscation
    • Package, class, and method naming randomization
    • Encrypted strings
    • Injected dummy code
    • Reflection
  • Encryption
    • Configuration files and assets are encrypted
  • Affiliate Landing Pages
    • Traffic is filtered based on a victim’s:
    • Country
    • This is determined based on their IP address and is typically limited to Russia and the surrounding region.
  • Device Type
    • This is typically based on the User-Agent string, but we have also begun to see a rise in landing pages when use run-time JavaScript tests to verify that they are in fact using a mobile device.
  • Twitter Distribution
    • Affiliates will generally use a “low and slow” approach by registering a large number of accounts to spread the landing page advertisements evenly across all of them and tweeting them out at a slower rate.

Discovery

Lookout has been actively tracking SMS fraud malware that targets Android users since the first example was found in the wild in August 2010. Three years later, we’ve seen significant advancements in sophistication and evasion techniques, however the primary purpose remains unchanged: make financial gains by enticing users to download a malicious application under false pretenses, then secretly making charges to their phone bill via premium SMS messages. Early on we were able to determine that this type of malware was being hosted on custom websites, designed to lure victims in with enticing themes such as pornography or games.
Over time, this collection of malware samples which targeted Russian users with SMS fraud, became the largest percentage of our total Android malware collection. Over 50% of Lookout’s total malware detections in the wild for the first half of 2013 were Russian SMS toll fraud applications. By reviewing each new version of code, we saw a few patterns emerge:

• The code became more complex and structured over time, resembling professionally developed code.
• The code was highly configurable and reduced the amount of hard-coded information such as SMS short code numbers and messages, replacing them with XML configuration files.
• The malware authors made a significant effort to obfuscate their code and encrypt their configuration files to evade detection.
• The code was updated on regular release cycles, every 1-2 weeks in most cases.

These factors, combined with the dramatic increase in the number of detections, seemed to indicate not only that there were significant efforts behind some of these malware families, but they are also well organized operations.
We began to monitor a live Twitter stream to look for users advertising links to Android downloads that fit the common themes, such as popular games, apps, or pornography. Within minutes of monitoring tweets fitting these descriptions, we quickly realized that we were on to something as we noticed clusters of tweets in Russian advertising popular game titles like the ones below.

[Caption: Clusters of Russian tweets advertising popular game titles]
Note that many of the authors of these tweets are using Twitter’s default egg profile pictures, which we confirmed is a key indicator for malware distribution accounts.
Over the next months, we monitored the incoming tweets and identified nearly 50,000 Twitter accounts used for the advertisement and distribution of Android SMS fraud malware. These tweets contained links to malware advertising landing pages on over 200 domains, which we began to investigate deeper. Once the malicious link from a Tweet is clicked, the victim is directed to the malicious landing page then redirected (often automatically) to a download URL hosted on a domain operated by the Malware HQ containing their affiliate ID. The affiliate then receives credit for the download from the malware HQ hosting their campaign. Since the malware has to be dynamically compiled with the latest code and configurations, the affiliate can’t simply download and redistribute the malware on their own, they must direct each victim to a service operated by the Malware HQ which will build a unique malware application “on the fly” once a download request is made.
Based on this insight, we were able to follow each of the 50,000+ malicious URLs back to identify a handful of custom download servers operated by different Malware HQs. Since we believed these download domains were operated by the Malware HQs, we set out to find other related domains which may lead to the main Malware HQ website. We cross-referenced the download domains against passive DNS records to get a list of all IP addresses that that domain had ever resolved to, then cross-referenced those IPs against passive DNS records to find all domain names that ever resolved to them. Passive DNS operates by using a distributed sensor network to archive DNS name resolutions each time they are resolved.  We use this historical data set to discover all of the IPs that a DNS name has pointed to over time, even if the domain is no longer active. Using this technique, we discovered the Malware HQ for several download servers, since they once shared the same IP address, even if they didn’t at the time of discovery. Although this bottom up approach was often fruitful, we were also able to identify Malware HQs using more traditional methods such as forum postings and Google searches.
***
This report was prepared and written by security researcher and engineer Ryan Smith.