Android Malware Seeds for Sale

Pierluigi Paganini March 15, 2013

One of the leading computer security companies of Russia, Group-IB and its CERT (CERT-GIB), found that Android malware is available for sale by cybercriminals. With explosion of mobile market and increase of Android users, more devices can be infected by malware downloaded through Android Market or Google Play or from 3d party WEB-sites.

“Nowadays it is possible to buy Android phishing malware for 4 000 USD with source codes, which is amazing opportunity for cybercriminals to move beyond PC’s in their attempt to hack bank accounts” – said Dan Clements, Group-IB US Managing Partner.

Two models of mobile malware seem prevalent in the underground

  • phishing malware (used for phishing the user by SMS).
  • cyber espionage malware (recording calls, blocking calls, intercepting SMS, blocking SMS), usually used for online-banking theft as well.




Pic.1 – SMS/Calls mobile interception malware for Android, with opportunities of blocking of SMS and calls from the targeted numbers, such as banks call-centers or fraud detection departments.


“Here is the brief description:
– SMS interception by filter (number of the sender or the segment of the text message);
– Blocking all SMS or by filter;
– Calls redirect;
– “Clever” self removal from the mobile;
– Malware can be designed as legitimate application with payload;
– 3 languages for the application (localization);
– hidden functional can be turned on/off by SMS command.
 The source codes are provided with the description, as well as with the links on SMS-services for sending and receiving the messages, my references. Work near 3 years with this mobile malware, have good experience.
The price is 4 000 USD
Contact: through PM.”    

Today’s modern cyber criminals don’t block all SMS, and don’t block targeted number from the bank, they use signature detection method of the banking customers notification messages by several criteria such as the bank’s brand name, it’s notifications templates, and many other things, which help them to block and intercept all the messages from the bank including OTP tokens needed for banking transfer validation on the customer’s side.



Many banks in some countries don’t provide an opportunity of sending funds through online-banking service to other countries or financial institute, that’s why cybercriminals are interested in attacking traditional PCs in classical way through exploits and banking trojans, and use mobile malware as a supportive mean of theft.

The malware is targeted on European Union countries, Middle East and Asia countries, excluding Russia and Ukraine, but can be efficiently modified and exploited on wide ranges of the countries including US and Canada.

Many of these cyber gangs share revenue of approximately 30% from these ill-gotten gains. To carry out their deeds they also use very big mobile botnets or tones of mobile traffic.

Pic.2 – phishing mobile malware has become more popular because of its ease of entry into the market for any medium-level criminal. It costs near 1 000 USD on the black market, with the services included for its configuration and support (prefixes, mobile number configuration, SMS billing, timing for SMS sending)


“Good day for all,
I sell Android bot, it sends SMS on “pay-numbers” (without customers notification). You place there prefix, mobile number, timing for sending SMS, I will help with billing, which will accept such kind of traffic.
What are benefits: it is stable profit, all you need is to develop your mobile botnet, it depends on you.
I provide source codes as well, possibly someone will improve the bot in future. Will help you with all possible questions, explain how it works.
Use ICQ for the contact. I am always online.”

Cybercrime methods are becoming increasingly complex, and as already happened for desktop environments also mobile market is increasing in concerning way. It’s fundamental to monitor black market and detect instance of its products spread in the wild … Group-IB has provided me evidence of their excellent work in the monitoring and detection of incoming cyber threats.



(Security Affairs – Malware) 

you might also like

leave a comment