A look to Android offer in the underground mobile market

Security experts continues to observe the evolution of the offer of services and malicious software for fraudsters in the Android underground mobile market.

In the last months security firms have observed an increase in criminal activities that exploited Android OS supported by the proactive evolution of the offerings in the underground mobile market. Dancho Danchev is considered one of most accredited experts of the criminal underground and its evolution, he described numerous initiatives for monetization of illegal activities, he profiled the new comers DIY Android injectors and different services harvest mobile phone numbers advertised in the underground mobile market.

We wrote on commercial availability DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse, a precious instrument for a cyber criminal that intend to create its own botnet .

Using  commercially available tools it is possible to inject a pre-configured Android trojan client into any applications, recently Danchev profiled a cybercrime-friendly Windows-based tool for the generation of malicious data stealing Android .apk apps. In the underground mobile market it is already possible to find cracked versions of the DIY Android injector.


The data stealing apps present intriguing capabilities such as the possibility to steal WhatsApp messages on rooted devices, SMS messages, personal data stored on the mobile, user’s contacts. The trojanized applications could be also programmed to operate once triggered by a specific SMS, the data stolen are sent back to the attacker in a zip archive to a pre-configured email account.

But malware distribution for data stealing is just one of  numerous criminal  activities for the Android malware market segment, last discovery made by Danchev is related to scammers pop up in the Android’s Calendar App.

The cyber criminals in this case are popping up as an event on their Android Calendar apps, to do this they are registering thousands of bogus accounts to misuse for the access to Calendar feature. Calendar app is automatically syndicated on all Android devices, this characteristic is exploited by fraudsters:

“On most Android devices, the Calendar app is automatically synced with the Google Calendar server, and vice versa.”



The scam is based on the automation of the process of sending Calendar Invites containing fraudulent proposals to Android users. According Danchev the strategy reminds us of known cases for 419 advance fee scammers ( abused Dilbert.com and NYTimes.com’s “Email This” ).

“Nigerian scams, also called 419 scams, are a type of fraud and one of the most common types of confidence trick. There are many variations on this type of scam, including advance fee fraud, Nigerian Letter, Fifo’s Fraud, Spanish Prisoner Scam, black money scam. The number “419” refers to the article of the Nigerian Criminal Code dealing with fraud. The scam has been used with fax and traditional mail, and is now used with the internet. While the scam is not limited to Nigeria, the nation has become associated with this fraud and it has earned a reputation for being a center of email scam crimes. Other nations known to have a high incidence of advance fee fraud include Ivory Coast, Benin,Togo, South Africa, Russia, India, Pakistan, the Netherlands, and Spain.” reports Wikipedia on this category of scam.

In the cases of Email hijacking/friend scams, fraudsters hijack existing email accounts and use them in advance-fee fraud purposes typically targeting email friends, and/or family members of victims to circumvent them. The scam scheme is very effective due to the ease of registering tens of thousands of Google Accounts or due the possibility of buying access to pre-registered accounts.

Cybercriminals exploit also free email services for 419 scams illegal activities, the lack of validation for  identifying information allows them to send malicious messages in a short span of time without triggering any alerts.

“Scammers can create as many accounts as they wish and often have several at a time. In addition, if email providers are alerted to the scammer’s activities and suspend the account, it is a trivial matter for the scammer to simply create a new account to resume scamming.”

In the future illegal practices, specially focused on mobile platforms, will increase. Android OS due its market share will continue to be a privileged target for fraudsters and scammers. Danchev remarked that that we will assist to the shortening for the time frame between the “invitation” and the real crime operated by the fraudsters.

Others concerning practices observed by security experts are the sale for mobile traffic to hijack victims to malicious URLs on the fly, abuse of cybercrime-friendly underground market traffic exchanges, the rent of legitimate hosts and the abuse of verified Google Play accounts.

Fraudsters have numerous options to exploit Android OSs, what is surprising is the efficiency of the services they offer in the underground mobile market, excellent is Quality Assurance offered and the level of automation for the supply chain.

Virtually every criminals could find in the underground mobile market all the services and malicious software to realize also complex frauds … The mobile users are advised!

(Security Affairs – underground mobile market, cybercrime, Android)
Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.