One of the top types of Android malware are trojans that claim to provide a useful service, but instead send SMS messages to premium shortcodes, charging the victims and putting money directly into the attackers’ hands. We’ve seen a steady increase in this type of malware over the past years, and recently we’ve seen an increase in sophistication of obfuscation and distribution techniques as well. By investigating certain families of malware over time, we’ve seen encryption, code level obfuscation, on-demand build systems, and weekly code release cycles become more common. It became clear that there was significant organization and investment of both time and money behind several of these malware families, so we began following leads to find out how far the rabbit hole goes.
This presentation will show key findings and methods of this investigation into top Android malware distributors operating in Russia and the surrounding region. The investigation includes the discovery of 10’s of thousands of bot-controlled twitter accounts spreading links to this type of SMS fraud malware, tracing distribution through thousands of domains and custom websites, and the identification of multiple “affiliate web traffic monetization” websites based in Russia which provide custom Android SMS fraud malware packaging for their “affiliates”. During this investigation we have mapped out an entire ecosystem of actors, each providing their own tool or trade to help this underground community thrive.
Come out to this talk to find out how just how much effort and manpower is invested in defrauding Android users through this type of SMS trojan malware, and the types of organizations that are behind it.
Ryan W. Smith (@ryanwsmith13) is a Senior Research and Response Engineer at Lookout, and has been an actively making and breaking software systems for the past 11 years. With a tendency to jump into anything sufficiently interesting and challenging, his projects range from automated x86 reverse engineering to large scale network attack graph analytics. As a chronic community contributor, Ryan may have been seen speaking at any number of Honynet Project, OWASP, AHA, or UT COMSOC events.
Tim Strazzere is a Lead Research and Response Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices.