Today at DEF CON 21, we presented an in-depth investigation of Russian
SMS fraud code-named “Dragon Lady,” referencing U2 reconnaissance
aircrafts that were used during the Cold War to monitor the Soviet
Union. Starting in December 2012, this investigation brought together
vast amounts of data from multiple channels to uncover a pervasive and
organized cottage industry built around the distribution of Android
premium SMS fraud. We’ve enumerated ten “Malware Headquarters”
accounting for over 60 percent of the Russian malware Lookout has
observed in the wild.
We discovered several distribution channels through sources such as
Twitter, then followed a digital path back from those distribution
channels to identify several ‘start-up like’ organizations. These
Malware Headquarters (Malware HQs), handle business logistics,
management of SMS shortcodes and offer an easily configurable Android
SMS fraud malware platform. Affiliate marketers then customize the
malware apps and distribute them through channels like Twitter to drive
mobile users to fraudulent affiliate websites. Unwitting victims are
tricked into downloading malicious apps that charge a fee through toll
fraud. We’ve seen evidence that these affiliate marketers have earned
between $700/month to $12,000/month from these scams, and estimate that
there are thousands of individual distributors and potentially tens of
thousands of affiliate websites promoting these custom SMS malware in
the same manner as traditional affiliate web marketers. Many of the
malware organizations, affiliates and campaigns remain live, however all
Lookout users are protected from known threats.
Key Findings
-
Organized groups of Android malware authors are operating like
startups: tapping multiple individuals or organizations for
specialization in different business areas, leveraging online tools for
promotion and developing affiliate programs. At least one Russian
malware “startup” has been discovered earning tens of thousands of
dollars per month and operating thousands of websites through their
affiliates.
-
Many of the malware families have regular code release cycles every
few weeks similar to agile software development organizations.
-
Twitter is a major tool for distribution by these affiliates. They are
using Twitter as a vehicle to distribute tens of thousands of links to
malicious apps in an effort to leverage the social media platform to
drive more traffic to their download pages. While promoting malware is
nothing new, this demonstrates how rapidly they are adjusting to mobile
and experimenting with new media formats for campaigns.
-
The organizations offer “Easy-Bake” Android SMS fraud malware where
affiliates can configure their options, and the code is compiled
automatically each time a victim downloads it. The link is attached to a
unique piece of malware that the affiliates can then distribute as they
see fit in an effort to maximize download numbers. This process makes
it very simple for anyone to execute a malware campaign.
-
Russian malware affiliates are experimenting with various distribution
tactics, which range from straight-up distribution of malware links, to
more “grey-area” borderline ad networks that distribute bad stuff.
We’ve witnessed Android advertising libraries as alternative
distribution channels for malware campaigns. Specifically, our discovery
of BadNews in April was an example of a malicious advertising library
which was primarily used to send victims links to sms toll-fraud
malware.
-
The malware authors are employing several malware anti-detection
techniques in their distribution points as well as their code. Although
most of these evasion techniques are basic individually, when combined,
the distribution points and code are more challenging to track the new
versions of the malware.
The Malware HQ: An Organized Operation
Lookout followed the trail of Russian SMS fraud malware back to several
well organized distribution hubs which we’re calling a Malware HQ. We
enumerated ten Malware HQs accounting for over 60 percent of the Russian
malware Lookout has observed in the wild. These organizations handle
many of the logistics and business services required to manage an SMS
fraud campaign, then offer these pre-packaged services to “affiliates”
who can focus on running campaigns and driving additional traffic
without needing to handle the low-level technical and business
requirements. These Malware HQs entice new affiliates with a common
message: “We’ll make it easy for you to _monetize_ your mobile web
traffic” Of course this _monetization_ is accomplished by the predatory
practice or promising victims a useful Android application under false
pretenses and instead covertly charging them through premium SMS
messages. Below are examples of the websites operated by the Malware
HQs.
[Caption: Websites operated by Malware HQs that demonstrate how easy it is to make your own malware.]
Some of the services offered by Malware HQs are:
-
Development and maintenance of the Android SMS fraud apps
-
On average new code updates are released every 1-2 weeks
-
Many of the Malware HQ use multiple levels of code and data obfuscation techniques to avoid detection
-
Registration of SMS short codes and dissemination of resulting funds
-
Each of the Malware HQ organizations have up to 100 individual short
codes, which target users in a specific set of countries.
-
Most Malware HQs include these SMS short codes in encrypted or
encoded configuration files which are regularly updated along with the
code and are included in the latest release.
Below are examples of gamification of affiliate earnings managed by a Malware HQ.
-
Affiliate marketing programs
-
Gamification of earnings and contests for the biggest winners
-
Affiliate communications including newsletters and regular blog posts about new features
Below is a newsletter by Malware HQ with posts about a competition, maintenance and payout schedule:
Easy Bake Malware: Customized SMS Fraud
The core function of a Malware HQ is to provide affiliates with a
custom-built Android application which will charge victims through
premium SMS messages and funnel the resulting funds back into the
affiliate’s payment account. Although some Malware HQs have a few
special features, all of them follow the same basic recipe. A simple
step-by-step guide takes even the most novice of affiliates through the
process of creating customized Android SMS fraud applications.
Affiliates can either create a custom template or choose a pre-packaged
templates, often portraying popular apps such as Google Play, Adobe
Flash, Skype, games like Bad Piggies, MP3s, or pornography. The
templates are highly configurable, allowing the affiliates to change the
application’s title, icon, look and feel, and even how much the victims
will be charged. Affiliates then use this tracking system to monitor
the number of “impressions” and “conversions” for a particular campaign,
allowing the more advanced affiliates to optimize and iterate
campaigns.
6 Step Process to Easy-Bake Malware from one Malware HQ:
Step 1: Create your campaign
Step 2: Choose your target operating systems
Step 3: Select your mobile template with extra details including conversion rate
Step 4: Code to copy and paste into your website to redirect your visitors to download pages
Malvertising: Affiliates & Distribution
A significant amount of money and effort is invested in affiliate
campaign management and distribution. We discovered at least one
affiliate investing $1k-$2k in operating expenses over three months, and
claiming $12,000 in profit. Based on the investigation of the sites
involved, we estimate that there are thousands of marketing affiliates
and potentially tens of thousands of affiliate websites involved in
promoting these pieces of malware.
Similar to traditional marketing campaigns, a greater volume of web
traffic and more intuitive process will lead to higher conversion. Once
an affiliate has created their customized SMS fraud application at
Malware HQ, their goal is to entice mobile users to visit the campaign,
hosted on a mobile web page and install the malicious application.
Affiliates are experimenting with the latest marketing techniques, like
social media and mobile ads. The tactics for driving traffic include:
-
Destination Landing Pages: Affiliates are responsible
for creating their own destination landing pages that redirect users to
download the malicious app hosted by the HQ. These landing pages are
often designed to be enticing to mobile users, advertising popular
downloads such as Angry Birds, Skype, Opera, or Flash updates.
Below are samples of affiliate landing pages.
-
Twitter: Twitter is a primary distribution channel
for malware affiliates because search engines assign a high value to
indexed tweets which means higher ranking in the search results. When
searchers seek out free songs, apps or porn, a high search ranking
promotes the affiliate content. Lookout combed through 247,863 unique
twitter handles and over a million tweets. Nearly 50,000 of the unique
handles and nearly 25 percent of all tweets identified were confirmed
linking to malware. While many of the accounts were still active,
Twitter’s security team appeared disable accounts which they identified
as malicious. We reported the remaining malicious accounts, their
behavior, and our findings to Twitter in May 2013.
[Caption: Malvertising by an affiliate that links to landing pages that host malicious apps]
-
Mobile Ad Networks: Lookout recently reported on a
new malware, BadNews, which was found to be a new technique to drive
mobile traffic to SMS fraud campaigns. BadNews was designed to look like
an advertising library in legitimate Android applications, but the
advertisements that it displayed linked directly to SMS fraud malware
hosted by top HQs.
[Caption: The blurred URL in this string of code—sampled from
BadNews—links to a landing page promoting malware hosted by a Malware
HQ]
Victims of SMS Fraud
The typical victim of this malware scheme is a Russian speaker
searching for popular applications such as Skype or for free porn,
videos, pictures and MP3s. The landing pages that the affiliates build
are tuned to filter out any visitors from outside their targeted
countries, or are not coming from a mobile device. A victim might search
for a free version of “Bad Piggies” and stumble on a website that looks
like an official Russian download page, but is actually a specially
crafted affiliate landing page. When a victim clicks to download what
they believe to be the Bad Piggies app, they will be charged a fee via
premium SMS messages without their consent. There are often terms of
service (TOS) included in the app when the user downloads, but they are
not well presented to the users. Often, the TOS is intentionally buried
or hidden from sight, such as white text on a white background or
forcing the user to scroll down for two minutes before the TOS appears.
To add insult to injury, even after being charged by the malicious
application, they’re only provided a link where they may be able to
download the actual (free!) application they were looking for
originally.
Anti-Detection Techniques
Both the affiliates and the Malware HQ organizations are sensitive to
the fact that anti-virus companies and network operators are constantly
observing their operations in attempt to curb their success. In fact, we
know they specifically attempt to evade Lookout:
To avoid detection and maximize their success they use several layers of common evasion techniques, including:
-
Android SMS Malware Obfuscation
-
Code Obfuscation
-
Package, class, and method naming randomization
-
Encrypted strings
-
Injected dummy code
-
Reflection
-
Encryption
-
Configuration files and assets are encrypted
-
Affiliate Landing Pages
-
Traffic is filtered based on a victim’s:
-
Country
-
This is determined based on their IP address and is typically limited to Russia and the surrounding region.
-
Device Type
-
This is typically based on the User-Agent string, but we have also
begun to see a rise in landing pages when use run-time JavaScript tests
to verify that they are in fact using a mobile device.
-
Twitter Distribution
-
Affiliates will generally use a “low and slow” approach by
registering a large number of accounts to spread the landing page
advertisements evenly across all of them and tweeting them out at a
slower rate.
Discovery
Lookout has been actively tracking SMS fraud malware that targets Android users since the first example
was found in the wild in August 2010.
Three years later, we’ve seen significant advancements in
sophistication and evasion techniques, however the primary purpose
remains unchanged: make financial gains by enticing users to download a
malicious application under false pretenses, then secretly making
charges to their phone bill via premium SMS messages. Early on we were
able to determine that this type of malware was being hosted on custom
websites, designed to lure victims in with enticing themes such as
pornography or games.
Over time, this collection of malware samples which targeted Russian
users with SMS fraud, became the largest percentage of our total Android
malware collection. Over 50% of Lookout’s total malware detections in
the wild for the first half of 2013 were Russian SMS toll fraud
applications. By reviewing each new version of code, we saw a few
patterns emerge:
-
The code became more complex and structured over time, resembling professionally developed code.
-
The code was highly configurable and reduced the amount of hard-coded
information such as SMS short code numbers and messages, replacing them
with XML configuration files.
-
The malware authors made a significant effort to obfuscate their code
and encrypt their configuration files to evade detection.
-
The code was updated on regular release cycles, every 1-2 weeks in most cases.
These factors, combined with the dramatic increase in the number of
detections, seemed to indicate not only that there were significant
efforts behind some of these malware families, but they are also well
organized operations.
We began to monitor a live Twitter stream to look for users advertising
links to Android downloads that fit the common themes, such as popular
games, apps, or pornography. Within minutes of monitoring tweets fitting
these descriptions, we quickly realized that we were on to something as
we noticed clusters of tweets in Russian advertising popular game
titles like the ones below.
[Caption: Clusters of Russian tweets advertising popular game titles]
Note that many of the authors of these tweets are using Twitter’s
default egg profile pictures, which we confirmed is a key indicator for
malware distribution accounts.
Over the next months, we monitored the incoming tweets and identified
nearly 50,000 Twitter accounts used for the advertisement and
distribution of Android SMS fraud malware. These tweets contained links
to malware advertising landing pages on over 200 domains, which we began
to investigate deeper. Once the malicious link from a Tweet is clicked,
the victim is directed to the malicious landing page then redirected
(often automatically) to a download URL hosted on a domain operated by
the Malware HQ containing their affiliate ID. The affiliate then
receives credit for the download from the malware HQ hosting their
campaign. Since the malware has to be dynamically compiled with the
latest code and configurations, the affiliate can’t simply download and
redistribute the malware on their own, they must direct each victim to a
service operated by the Malware HQ which will build a unique malware
application “on the fly” once a download request is made.
Based on this insight, we were able to follow each of the 50,000+
malicious URLs back to identify a handful of custom download servers
operated by different Malware HQs. Since we believed these download
domains were operated by the Malware HQs, we set out to find other
related domains which may lead to the main Malware HQ website. We
cross-referenced the download domains against passive DNS records to get
a list of all IP addresses that that domain had ever resolved to, then
cross-referenced those IPs against passive DNS records to find all
domain names that ever resolved to them. Passive DNS operates by using a
distributed sensor network to archive DNS name resolutions each time
they are resolved. We use this historical data set to discover all of
the IPs that a DNS name has pointed to over time, even if the domain is
no longer active. Using this technique, we discovered the Malware HQ for
several download servers, since they once shared the same IP address,
even if they didn’t at the time of discovery. Although this bottom up
approach was often fruitful, we were also able to identify Malware HQs
using more traditional methods such as forum postings and Google
searches.
***
This report was prepared and written by security researcher and engineer Ryan Smith.
