One of the top types of Android malware are trojans that claim to provide a useful service, but instead send SMS messages to premium shortcodes, charging the victims and putting money directly into the attackers’ hands. We’ve seen a steady increase in this type of malware over the past years, and recently we’ve seen an increase in sophistication of obfuscation and distribution techniques as well. By investigating certain families of malware over time, we’ve seen encryption, code level obfuscation, on-demand build systems, and weekly code release cycles become more common. It became clear that there was significant organization and investment of both time and money behind several of these malware families, so we began following leads to find out how far the rabbit hole goes.
This presentation will show key findings and methods of this investigation into top Android malware distributors operating in Russia and the surrounding region. The investigation includes the discovery of 10’s of thousands of bot-controlled twitter accounts spreading links to this type of SMS fraud malware, tracing distribution through thousands of domains and custom websites, and the identification of multiple “affiliate web traffic monetization” websites based in Russia which provide custom Android SMS fraud malware packaging for their “affiliates”. During this investigation we have mapped out an entire ecosystem of actors, each providing their own tool or trade to help this underground community thrive.
Come out to this talk to find out how just how much effort and manpower is invested in defrauding Android users through this type of SMS trojan malware, and the types of organizations that are behind it.