Today at DEF CON 21, we presented an in-depth investigation of Russian SMS fraud code-named “Dragon Lady,” referencing U2 reconnaissance aircrafts that were used during the Cold War to monitor the Soviet Union. Starting in December 2012, this investigation brought together vast amounts of data from multiple channels to uncover a pervasive and organized cottage industry built around the distribution of Android premium SMS fraud. We’ve enumerated ten “Malware Headquarters” accounting for over 60 percent of the Russian malware Lookout has observed in the wild.
We discovered several distribution channels through sources such as Twitter, then followed a digital path back from those distribution channels to identify several ‘start-up like’ organizations. These Malware Headquarters (Malware HQs), handle business logistics, management of SMS shortcodes and offer an easily configurable Android SMS fraud malware platform. Affiliate marketers then customize the malware apps and distribute them through channels like Twitter to drive mobile users to fraudulent affiliate websites. Unwitting victims are tricked into downloading malicious apps that charge a fee through toll fraud. We’ve seen evidence that these affiliate marketers have earned between $700/month to $12,000/month from these scams, and estimate that there are thousands of individual distributors and potentially tens of thousands of affiliate websites promoting these custom SMS malware in the same manner as traditional affiliate web marketers. Many of the malware organizations, affiliates and campaigns remain live, however all Lookout users are protected from known threats.
Lookout followed the trail of Russian SMS fraud malware back to several well organized distribution hubs which we’re calling a Malware HQ. We enumerated ten Malware HQs accounting for over 60 percent of the Russian malware Lookout has observed in the wild. These organizations handle many of the logistics and business services required to manage an SMS fraud campaign, then offer these pre-packaged services to “affiliates” who can focus on running campaigns and driving additional traffic without needing to handle the low-level technical and business requirements. These Malware HQs entice new affiliates with a common message: “We’ll make it easy for you to _monetize_ your mobile web traffic” Of course this _monetization_ is accomplished by the predatory practice or promising victims a useful Android application under false pretenses and instead covertly charging them through premium SMS messages. Below are examples of the websites operated by the Malware HQs.
[Caption: Websites operated by Malware HQs that demonstrate how easy it is to make your own malware.]
Some of the services offered by Malware HQs are:
Below are examples of gamification of affiliate earnings managed by a Malware HQ.
Below is a newsletter by Malware HQ with posts about a competition, maintenance and payout schedule:
The core function of a Malware HQ is to provide affiliates with a custom-built Android application which will charge victims through premium SMS messages and funnel the resulting funds back into the affiliate’s payment account. Although some Malware HQs have a few special features, all of them follow the same basic recipe. A simple step-by-step guide takes even the most novice of affiliates through the process of creating customized Android SMS fraud applications. Affiliates can either create a custom template or choose a pre-packaged templates, often portraying popular apps such as Google Play, Adobe Flash, Skype, games like Bad Piggies, MP3s, or pornography. The templates are highly configurable, allowing the affiliates to change the application’s title, icon, look and feel, and even how much the victims will be charged. Affiliates then use this tracking system to monitor the number of “impressions” and “conversions” for a particular campaign, allowing the more advanced affiliates to optimize and iterate campaigns.
6 Step Process to Easy-Bake Malware from one Malware HQ:
Step 1: Create your campaign
Step 2: Choose your target operating systems
Step 3: Select your mobile template with extra details including conversion rate
Step 4: Code to copy and paste into your website to redirect your visitors to download pages
A significant amount of money and effort is invested in affiliate campaign management and distribution. We discovered at least one affiliate investing $1k-$2k in operating expenses over three months, and claiming $12,000 in profit. Based on the investigation of the sites involved, we estimate that there are thousands of marketing affiliates and potentially tens of thousands of affiliate websites involved in promoting these pieces of malware.
Similar to traditional marketing campaigns, a greater volume of web traffic and more intuitive process will lead to higher conversion. Once an affiliate has created their customized SMS fraud application at Malware HQ, their goal is to entice mobile users to visit the campaign, hosted on a mobile web page and install the malicious application. Affiliates are experimenting with the latest marketing techniques, like social media and mobile ads. The tactics for driving traffic include:
Below are samples of affiliate landing pages.
[Caption: Malvertising by an affiliate that links to landing pages that host malicious apps]
[Caption: The blurred URL in this string of code—sampled from BadNews—links to a landing page promoting malware hosted by a Malware HQ]
The typical victim of this malware scheme is a Russian speaker searching for popular applications such as Skype or for free porn, videos, pictures and MP3s. The landing pages that the affiliates build are tuned to filter out any visitors from outside their targeted countries, or are not coming from a mobile device. A victim might search for a free version of “Bad Piggies” and stumble on a website that looks like an official Russian download page, but is actually a specially crafted affiliate landing page. When a victim clicks to download what they believe to be the Bad Piggies app, they will be charged a fee via premium SMS messages without their consent. There are often terms of service (TOS) included in the app when the user downloads, but they are not well presented to the users. Often, the TOS is intentionally buried or hidden from sight, such as white text on a white background or forcing the user to scroll down for two minutes before the TOS appears. To add insult to injury, even after being charged by the malicious application, they’re only provided a link where they may be able to download the actual (free!) application they were looking for originally.
Both the affiliates and the Malware HQ organizations are sensitive to the fact that anti-virus companies and network operators are constantly observing their operations in attempt to curb their success. In fact, we know they specifically attempt to evade Lookout:
To avoid detection and maximize their success they use several layers of common evasion techniques, including:
Lookout has been actively tracking SMS fraud malware that targets Android users since the first example was found in the wild in August 2010. Three years later, we’ve seen significant advancements in sophistication and evasion techniques, however the primary purpose remains unchanged: make financial gains by enticing users to download a malicious application under false pretenses, then secretly making charges to their phone bill via premium SMS messages. Early on we were able to determine that this type of malware was being hosted on custom websites, designed to lure victims in with enticing themes such as pornography or games.
Over time, this collection of malware samples which targeted Russian users with SMS fraud, became the largest percentage of our total Android malware collection. Over 50% of Lookout’s total malware detections in the wild for the first half of 2013 were Russian SMS toll fraud applications. By reviewing each new version of code, we saw a few patterns emerge:
These factors, combined with the dramatic increase in the number of detections, seemed to indicate not only that there were significant efforts behind some of these malware families, but they are also well organized operations.
We began to monitor a live Twitter stream to look for users advertising links to Android downloads that fit the common themes, such as popular games, apps, or pornography. Within minutes of monitoring tweets fitting these descriptions, we quickly realized that we were on to something as we noticed clusters of tweets in Russian advertising popular game titles like the ones below.
[Caption: Clusters of Russian tweets advertising popular game titles]
Note that many of the authors of these tweets are using Twitter’s default egg profile pictures, which we confirmed is a key indicator for malware distribution accounts.
Over the next months, we monitored the incoming tweets and identified nearly 50,000 Twitter accounts used for the advertisement and distribution of Android SMS fraud malware. These tweets contained links to malware advertising landing pages on over 200 domains, which we began to investigate deeper. Once the malicious link from a Tweet is clicked, the victim is directed to the malicious landing page then redirected (often automatically) to a download URL hosted on a domain operated by the Malware HQ containing their affiliate ID. The affiliate then receives credit for the download from the malware HQ hosting their campaign. Since the malware has to be dynamically compiled with the latest code and configurations, the affiliate can’t simply download and redistribute the malware on their own, they must direct each victim to a service operated by the Malware HQ which will build a unique malware application “on the fly” once a download request is made.
Based on this insight, we were able to follow each of the 50,000+ malicious URLs back to identify a handful of custom download servers operated by different Malware HQs. Since we believed these download domains were operated by the Malware HQs, we set out to find other related domains which may lead to the main Malware HQ website. We cross-referenced the download domains against passive DNS records to get a list of all IP addresses that that domain had ever resolved to, then cross-referenced those IPs against passive DNS records to find all domain names that ever resolved to them. Passive DNS operates by using a distributed sensor network to archive DNS name resolutions each time they are resolved. We use this historical data set to discover all of the IPs that a DNS name has pointed to over time, even if the domain is no longer active. Using this technique, we discovered the Malware HQ for several download servers, since they once shared the same IP address, even if they didn’t at the time of discovery. Although this bottom up approach was often fruitful, we were also able to identify Malware HQs using more traditional methods such as forum postings and Google searches.
This report was prepared and written by security researcher and engineer Ryan Smith.