The victim of these schemes is "usually a Russian speaking Android user looking for free apps, games, MP3s or pornography," according to Lookout's statement. Lookout says it has evidence that some affiliates are making up to $12,000 per month from such toll fraud. Of those, 50,000 - one in five - linked directly to toll fraud campaigns created by malware affiliates, Lookout says.Īccording to Lookout, SMS short codes used in these apps are publicly registered "so a company is verifying they will charge for Premium SMS." When a user sends a Premium SMS text, their phone bill is charged. During Operation Dragon Lady, Lookout reviewed 250,000 unique Twitter handles. Intermittent scanning of the ad network might easily miss such activity, but any company that observed the network over time would catch it."įor the malware affiliates, the burgeoning social networks, coupled with lax end-user security awareness, are a key distribution channel for links to the disguised malware. Mahaffey also said that the "organization behind BadNews only pushes malicious ads for short periods of time as little as five minutes a day. That indicates that the same person that wrote the RUPaidmarket malware is working on BadNews, as well."
Mahaffey said, "There is substantial code re-use. "That analysis revealed that BadNews was substantially similar to another malicious ad network, which Lookout calls RUPaidmarket," according to SecurityLedger. But, having observed the behavior of this ad network at length and analyzed its code, we don't see any possibilities other than this being a malicious ad network."Īccording to Mahaffey, Lookout analyzed the underlying code that BadNews used to serve ads to mobile devices.
The vendor's founder and CTO, Kevin Mahaffey, said "We're open to all possibilities. SecurityLedger contacted Lookout for a reaction. "We haven't seen a single instance of abusive SMS applications being downloaded as a result of BadNews." "We've observed the app(lication) and we've reviewed all the logs we have access to," he said in that post. in June, said Google "had not found any evidence linking BadNews to so-called SMS toll fraud' malware," according to an account of his remarks by SecurityLedger. Google employee and Android team member Adrian Ludwig, speaking at a Federal Trade Commission event, "Building Security Into Modern Mobile Platforms," in Washington, D.C. Rogers added, not surprisingly, that "All Lookout users are protected against this threat."īut six weeks later, a Google employee said that Google itself had found no evidence that BadNews was, actually, bad news. Lookout's Mark Rogers claimed in an April 19 blog post that BadNews was a "new malware family" disguised as an ad network, and that Lookout had found it present "in 32 apps across four different developer accounts in Google Play." Lookout "notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation." In an email, a Lookout spokesman identified BadNews, AlphaSMS and RuFraud as "examples of malware that have been tied to the Malware HQs."īut at least one of those, BadNews, is disputed.
These mobile apps, destined for Android smartphones and tablets, are made to look like "the latest Angry Birds game or Skype app," according to Lookout. The headquarters' platform code, tools, and support are bought by a growing network of entrepreneurial "malware affiliates," who then create and distribute customized malware apps. Lookout researchers presented the results over the weekend at the DefCon Hacking Conference in Las Vegas.
The company markets and sells security and antivirus apps to Android and iOS users and to business clients, to combat the same kind of problem uncovered by its investigation. Lookout researchers combined the results of Dragon Lady with three years of data collection on malware patterns in Russia. The details of the extent and sophistication of Russian malware, most of it so far targeted against Russian-speaking Android phone users, is the result of a six-month long investigation called Operation Dragon Lady by Lookout, a mobile security firm based in San Francisco. Ten such criminal enterprises are responsible for more than 60% of all Russian malware, and millions of dollars in fraudulent SMS toll charges against end users' phone bills. Highly organized Russian groups have transformed mobile hacking into an industrial scale business, a kind of "malware-as-a-service," complete with marketing affiliates, distributors and customer support.