Cyber criminals in Russia have built a lucrative business that employs thousands of people, and they are just waiting for smartphone users to click on fishy links.
Ten mobile malware businesses in Russia with startup-like behaviors make up at least 60% of a complex Russian malware industry, according to new research by mobile security provider Lookout and unveiled Friday at the DEFCON 21 hacking conference in Las Vegas.
These criminals are ramping up marketing efforts to reach unsuspecting consumers, hiring thousands of individual affiliate marketers and likely tens of thousands of web properties to advertise their malware.
“The mobile malware trade in Russia is highly organized and profitable,” says Lookout’s senior research and response engineer, Ryan Smith. “They leverage a large and highly motivated workforce of affiliates, who earn a share of the profit by marketing and distributing the malware.”
Some of these affiliates have been found to make up to $12,000 a month, according to Lookout.
The Attack: What to Look For
The attack method of choice is known as toll fraud, a scheme designed to secretly charge a victim’s phone bill via premium SMS messages, often while providing no service in return.
The fraud, which often comes in the form of a link in a text message or on social media sites like Facebook (FB) and Twitter, can be disguised as a popular app such as Angry Birds, Google Play, Adobe Flash and Skype. The victims are often searching for free apps.
“The victim may have been using search engine or click through links in tweets or mobile ads, then unwittingly download the malicious app which secretly adds a premium SMS charge to their phone bill,” Smith said.
Since the source of a vast majority of these attacks comes from Russia, with 50,000 of the 250,000 unique Twitter handles reviewed by Lookout being directly linked to these toll fraud campaigns, victims are usually Russian-speaking Android users.
Lookout, which has been actively tracking SMS fraud since August 2010, said that more than half of the security company’s total malware detections in the first half of 2013 originated in Russia. The investigation had been code-named “Dragon Lady,” referring to U2 reconnaissance aircraft that were used during the Cold War to monitor Soviet Union activities.
What is notable about these particular groups is their ability to leverage the skills of a wide group of individuals. The crime rings tap talent by touting easy-to-use platforms that are designed so “just about anyone,” no coding experience needed, can distribute and profit from malware.
“These Malware HQs entice new affiliates with a common message: ‘We’ll make it easy for you to monetize your mobile web traffic,’” Smith writes in the report. “Of course this monetization is accomplished by … promising victims a useful Android application under false pretenses and instead covertly charging them through premium SMS messages.”
Tips to Thwart Toll Fraud
1. Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings.
2. After clicking on a web link, pay close attention to the address to make sure it matches the website it claims to be if you are asked to enter account or login information.
3. Download a mobile security app like Lookout that scans every app you download for malware and spyware and can help you locate a lost or stolen device. For extra protection, make sure your security app can also protect from unsafe websites.
4. Be alert for unusual behaviors on your phone, which could be a sign that it is infected. These behaviors may include unusual text messages, strange charges to the phone bill, and suddenly decreased battery life.
5. Make sure to download firmware updates as soon as they are available for your device.