A look to Android offer in the underground mobile market

Security experts continues to observe the evolution of the offer of services and malicious software for fraudsters in the Android underground mobile market.

In the last months security firms have observed an increase in criminal activities that exploited Android OS supported by the proactive evolution of the offerings in the underground mobile market. Dancho Danchev is considered one of most accredited experts of the criminal underground and its evolution, he described numerous initiatives for monetization of illegal activities, he profiled the new comers DIY Android injectors and different services harvest mobile phone numbers advertised in the underground mobile market.

We wrote on commercial availability DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse, a precious instrument for a cyber criminal that intend to create its own botnet .

Using  commercially available tools it is possible to inject a pre-configured Android trojan client into any applications, recently Danchev profiled a cybercrime-friendly Windows-based tool for the generation of malicious data stealing Android .apk apps. In the underground mobile market it is already possible to find cracked versions of the DIY Android injector.

 

The data stealing apps present intriguing capabilities such as the possibility to steal WhatsApp messages on rooted devices, SMS messages, personal data stored on the mobile, user’s contacts. The trojanized applications could be also programmed to operate once triggered by a specific SMS, the data stolen are sent back to the attacker in a zip archive to a pre-configured email account.

But malware distribution for data stealing is just one of  numerous criminal  activities for the Android malware market segment, last discovery made by Danchev is related to scammers pop up in the Android’s Calendar App.

The cyber criminals in this case are popping up as an event on their Android Calendar apps, to do this they are registering thousands of bogus accounts to misuse for the access to Calendar feature. Calendar app is automatically syndicated on all Android devices, this characteristic is exploited by fraudsters:

“On most Android devices, the Calendar app is automatically synced with the Google Calendar server, and vice versa.”

 

 

The scam is based on the automation of the process of sending Calendar Invites containing fraudulent proposals to Android users. According Danchev the strategy reminds us of known cases for 419 advance fee scammers ( abused Dilbert.com and NYTimes.com’s “Email This” ).

“Nigerian scams, also called 419 scams, are a type of fraud and one of the most common types of confidence trick. There are many variations on this type of scam, including advance fee fraud, Nigerian Letter, Fifo’s Fraud, Spanish Prisoner Scam, black money scam. The number “419” refers to the article of the Nigerian Criminal Code dealing with fraud. The scam has been used with fax and traditional mail, and is now used with the internet. While the scam is not limited to Nigeria, the nation has become associated with this fraud and it has earned a reputation for being a center of email scam crimes. Other nations known to have a high incidence of advance fee fraud include Ivory Coast, Benin,Togo, South Africa, Russia, India, Pakistan, the Netherlands, and Spain.” reports Wikipedia on this category of scam.

In the cases of Email hijacking/friend scams, fraudsters hijack existing email accounts and use them in advance-fee fraud purposes typically targeting email friends, and/or family members of victims to circumvent them. The scam scheme is very effective due to the ease of registering tens of thousands of Google Accounts or due the possibility of buying access to pre-registered accounts.

Cybercriminals exploit also free email services for 419 scams illegal activities, the lack of validation for  identifying information allows them to send malicious messages in a short span of time without triggering any alerts.

“Scammers can create as many accounts as they wish and often have several at a time. In addition, if email providers are alerted to the scammer’s activities and suspend the account, it is a trivial matter for the scammer to simply create a new account to resume scamming.”

In the future illegal practices, specially focused on mobile platforms, will increase. Android OS due its market share will continue to be a privileged target for fraudsters and scammers. Danchev remarked that that we will assist to the shortening for the time frame between the “invitation” and the real crime operated by the fraudsters.

Others concerning practices observed by security experts are the sale for mobile traffic to hijack victims to malicious URLs on the fly, abuse of cybercrime-friendly underground market traffic exchanges, the rent of legitimate hosts and the abuse of verified Google Play accounts.

Fraudsters have numerous options to exploit Android OSs, what is surprising is the efficiency of the services they offer in the underground mobile market, excellent is Quality Assurance offered and the level of automation for the supply chain.

Virtually every criminals could find in the underground mobile market all the services and malicious software to realize also complex frauds … The mobile users are advised!