Android Malware Seeds for Sale

One of the leading computer security companies of Russia, Group-IB and its CERT (CERT-GIB), found that Android malware is available for sale by cybercriminals. With explosion of mobile market and increase of Android users, more devices can be infected by malware downloaded through Android Market or Google Play or from 3d party WEB-sites.

“Nowadays it is possible to buy Android phishing malware for 4 000 USD with source codes, which is amazing opportunity for cybercriminals to move beyond PC’s in their attempt to hack bank accounts” – said Dan Clements, Group-IB US Managing Partner.

Two models of mobile malware seem prevalent in the underground

  • phishing malware (used for phishing the user by SMS).
  • cyber espionage malware (recording calls, blocking calls, intercepting SMS, blocking SMS), usually used for online-banking theft as well.

 

Pic.1

Pic.1 – SMS/Calls mobile interception malware for Android, with opportunities of blocking of SMS and calls from the targeted numbers, such as banks call-centers or fraud detection departments.

Translation:

“Here is the brief description:
– SMS interception by filter (number of the sender or the segment of the text message);
– Blocking all SMS or by filter;
– Calls redirect;
– “Clever” self removal from the mobile;
– Malware can be designed as legitimate application with payload;
– 3 languages for the application (localization);
– hidden functional can be turned on/off by SMS command.
The source codes are provided with the description, as well as with the links on SMS-services for sending and receiving the messages, my references. Work near 3 years with this mobile malware, have good experience.
The price is 4 000 USD
Contact: through PM.”  

Today’s modern cyber criminals don’t block all SMS, and don’t block targeted number from the bank, they use signature detection method of the banking customers notification messages by several criteria such as the bank’s brand name, it’s notifications templates, and many other things, which help them to block and intercept all the messages from the bank including OTP tokens needed for banking transfer validation on the customer’s side.

Pic.2

Many banks in some countries don’t provide an opportunity of sending funds through online-banking service to other countries or financial institute, that’s why cybercriminals are interested in attacking traditional PCs in classical way through exploits and banking trojans, and use mobile malware as a supportive mean of theft.

The malware is targeted on European Union countries, Middle East and Asia countries, excluding Russia and Ukraine, but can be efficiently modified and exploited on wide ranges of the countries including US and Canada.

Many of these cyber gangs share revenue of approximately 30% from these ill-gotten gains. To carry out their deeds they also use very big mobile botnets or tones of mobile traffic.

Pic.2 – phishing mobile malware has become more popular because of its ease of entry into the market for any medium-level criminal. It costs near 1 000 USD on the black market, with the services included for its configuration and support (prefixes, mobile number configuration, SMS billing, timing for SMS sending)

Translation:

“Good day for all,
I sell Android bot, it sends SMS on “pay-numbers” (without customers notification). You place there prefix, mobile number, timing for sending SMS, I will help with billing, which will accept such kind of traffic.
What are benefits: it is stable profit, all you need is to develop your mobile botnet, it depends on you.
I provide source codes as well, possibly someone will improve the bot in future. Will help you with all possible questions, explain how it works.
Use ICQ for the contact. I am always online.”

Cybercrime methods are becoming increasingly complex, and as already happened for desktop environments also mobile market is increasing in concerning way. It’s fundamental to monitor black market and detect instance of its products spread in the wild … Group-IB has provided me evidence of their excellent work in the monitoring and detection of incoming cyber threats.

Thanks

Pierluigi

(Security Affairs – Malware)
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Experts warn of an ongoing malware campaign targeting WP-Automatic plugin

A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…

6 hours ago

Cryptocurrencies and cybercrime: A critical intermingling

As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…

8 hours ago

Kaiser Permanente data breach may have impacted 13.4 million patients

Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…

8 hours ago

Over 1,400 CrushFTP internet-facing servers vulnerable to CVE-2024-4040 bug

Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…

11 hours ago

Sweden’s liquor supply severely impacted by ransomware attack on logistics company

A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …

13 hours ago

CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog

CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…

23 hours ago

This website uses cookies.