Pierluigi Paganini March 11, 2013

In this post I desire to propose to readers the results of investigation made by researchers at Group-IB, a security firm resident of the Moscow-based Skolkovo Foundation.

Mobile malware black market is not well developed for now, because cybercriminals mostly use to directly attack mobile platforms instead to sell exploit toolkits and mobile malware.

The key properties of mobile malware for cybercrime are:

• using of well known brands including graphical design of famous applications or legal entities (financial institutions, e-commerce, stock/e-trading applications, applications for social networking and etc.);
• the need of entering SMS or doing phone calls to other numbers (sometimes it is doing silently after mobile malware will be installed on the system);
• 65% of installations – only on “jailbreaked” devices, 20% – through low verification of applications, 15% – through wireless channels (NFC, WPAN networks).

The market of cyber warfare is high raising nowadays and it includes also malware for mobiles for doing cyber espionage and intelligence.  The means of malware planting and it’s functional are quite similar to that one used by cybercriminals.

The key properties of mobile malware for cyber warfare are:

• the payload is targeted on information stealing including contact lists, text messages, calls history, information about compromised device (IMEI, Device IDs, external IP and etc.);
• some of the specific mobile malware is targeted on mobile calls recordings including Skype conversations.

Additionally modern smartphones are used for cyber espionage with special tools, used as traditional penetration testing tools. Mobile environment provides new opportunities for the hacker, cybercriminals use mobile malware for monetization through special underground partnership programs, they principal idea of which is to distribute malicious code on the huge range of smartphones based on popular OS through landing pages or mobile traffic (iOS, Windows Mobile, Google Android and etc.), and then to ask for paid SMS or it does it silently on specially crafted paid number from grey SMS billings providers in different countries.

There are some underground cybercrime services called “Pay Per Installes” (PPI), which pay money for mobile traffic for targeted attacks.

domain:        SMSPURPLE.RU

nserver:       dns1.yandex.net.

nserver:       dns2.yandex.net.

state:         REGISTERED, DELEGATED, UNVERIFIED

person:        Private Person

registrar:     NAUNET-REG-RIPN

admin-contact: https://client.naunet.ru/c/whoiscontact

created:       2011.12.02

paid-till:     2013.12.02

free-date:     2014.01.02

source:        TCI

This service distributes several variants of mobile malware (illegal SMS and mobile content subscriptions) under Opera Mini landing pages, Group-IB found more then 130 WEB-sites spreading fake mobile browsers used Opera Software brand in .RU and .COM domain name zones.

Another variant of malware is in mobile dating application with VK.com logo, very famous Russian social network (Vkontakte.ru):

It shows progress bar to 23% and then make a payment to SMS provider. For now, they distribute several types of fake mobile applications (Opera, Jimm, VK, Odn, Skype, Gaydating) on the following countries: Nigeria, Greece, Finland, Romania, Canada, Denmark, Belgium, Australia, Kyrgyzia, Poland, Chile, Portugal, US, Vietnam and many others.

It is important to say that cybercriminals prefer to use well knows mobile applications, especially for international cybercrime operations to increase own income from mobile traffic.

Most of these applications are detected as Java/SMSSend.AY or Trojan/J2ME.Agent.

Professional cybercriminals use mobile devices fingerprinting techniques by User-Agent to avoid AV detection, as well as hyperlinks obfuscation for avoiding domain names abusing during spam with malicious applicstions (“smishing”).

Some of the cybercriminals do smishing with help of SMS-ICQ transport they organize anonymous “smishing” attacks:

“Hello, you will find our fotos here wap.b0olt6jwxfq3.pz9l.ru/, download and then call me, don’t tell to anyone please!”

The end link will be http://updateqp.com/, from where you will be asked to download the following malware by link: http://filevk.com/l/bu/browser_update/u/7643/Browser_Update.jar.

It will be successfully downloaded only if the User-Agent of the victim will be one of the following: “Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 Nokia5800d-1/21.0.025;  Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko)  Safari/413”.

Both of the domain names were delegated to the same IP of bulletproof hosting provider:

$ host filevk.com   filevk.com has address 91.202.63.148
$ host updateqp.com  updateqp.com has address 91.202.63.148

More than 421 malicious mobile websites use this address. (examples: 39mobi.com 42mobi.com 56file.com 72mobi.com).

ZipWap.ru, the oldest cybercrime mobile subscription service working since 2011, has more than 60 special paid numbers for different countries, including USA, CA, UK and others. The main monetization scheme is “paid archives” for the WEB and mobile malware installs for mobile traffic.

It is the most high-technological underground services, because of it provides DLE, WordPress, uCoz integration, and special API for own CMS with automatic malware code generation.

Mostly they are targeted on WAP traffic and spreading mobile malware for Google Android platform and Nokia Symbian. The logic of commerce of this service is in that – user would love to download mobile application, the operator of the service asks him for money and provides own J2ME middle or Android malicious application, then the user downloads it and pay for the content, the operator of the service receive money for successful installation. They distribute fake Android and Symbian applications.

Some of the members earns more then 6 000$ per day on the distribution of this malware, which shows high-converted results:

The payouts are doing through Webmoney (WMR) or by banking transfer through EPESE. EPESE is absolutely anonymous money laundering service, which helps to transfer money without opening banking account or to receive it from different underground partner programmes.

They also integrated to some famous pharma underground programs such as RX-Affiliate-Network and

provide opportunities in money cash outing with help of special prepaid cards which they anonymously send to the members.

Another example of large mobile malware distribution underground services is “Load-WAP” that actually has around 1771 members. The service is targeted only on Russia, Belorus, Kazahstan, Armenia, Moldovia, Estonia, Latvia, Litva and Israel.

The service pays up to 80% from each installation targeted only on Google Android applications, it has also private mobile malware applications for VIP members for iPhone and iPad, but actually it doesn’t publish it. Some of VIP members of Load-Wap have special access for converting Appli and iOS traffic, Load-Wap service has developed special landing pages for iOS traffic and has private mobile malware for this platform they use with VIP members

The principal players of underground mobile traffic market for spreading malware are:

• ZipWap
• Phoneconvert
• Stimulpremium
• Load-Wap
• Wizard-mobile
• WapSyst

For some of them it is necessary to obtain special invite to become a member of the communities , it is the way of security, because some of such services were banned by abuses:

It easy to predict that the number of market places will increase in the next months, cybercrime will continue to target mobile world exploring model of business exactly as for malware sale and renting of hacking services.

Thanks again to security experts at Group-IB for the excellent analysis conducted on a so complex topic.