After listening to this talk “DragonLady: An Investigation of SMS Fraud Operations in Russia” it became clearer on how mobile malware economy works or getting money out of installing unverified android apps. Lookout Mobile Security presented how the underground economy works. The following entities were explained:
Malware HQ – handles business logistics and management of SMS, they offer easily configurable Android SMS fraud malware platform. Each HQ org has 100 short codes which target in specific countries. Most of the SMS short codes are encrypted or encoded config files.
Malware Authors – develop/used anti-detection techniques are done individually then if merge to a different techhnique, its more challenging to track the new malware variant. New code release every 1 to 2 weeks.
Novice Affiliates – can create a custom template or choose pre-packaged templates that portray popular apps such as google play, skype, opera etc. Affiliates have several options: change title of the app, change the icon and how much to charge the victim.
“BadNews in April was an example of a malicious advertising library which was primarily used to send victims links to sms toll-fraud malware. “ – Lookout
Steps to create your own malware from one Malware HQ
- 1. Create your own campaign
- 2. Pick a target OS (Android or IOS)
- 3. Choose a mobile template including conversion rate
- 4. Copy and paste it to your site to redirect targets to download page.
So a quick verification via Google and Twitter I found this twitter handle posting/advertising APK files. Initial recon they did was to lurk on twitter. Here is what I found.
“Twitter is a major tool for distribution of thousand of links to malicious apps”
Going back to Badnews APK, noticing the following 2 jar files that show the landing pages:
Under AdvService.class notice private String primaryServerURL = hxxp://mobidisplay.net/api/adv.php and private String PhoneNum. With a quick glance on succeeding code displays the following method:
imple ping and IP geo look up displays it came from the country of [220.127.116.11] Ukraine.
Pinging androways.com 18.104.22.168 pointed me to Mother Russia.
In conclusion to avoid detection, the speaker of the conference enumerated the following:
- Package, class and method naming randomize.
- Encrypted strings
- Config files are encrypted
- Traffic is filtered based on victim’s (IP Address)
- Device Type (user agent string, making sure its mobile not pc)
- Twitter distribution.