Mobile security company Lookout released a report today at DefCon that reveals the amazing size, scope, and complexity of Android malware operations in Russia. The report found the bulk of this Russian malware wasn't coming from lone individuals in basements, but well-oiled malware producing machines.

Speaking to SecurityWatch, senior researcher and response engineer Ryan Smith explained that Lookout's interest was piqued when they noticed that SMS fraud malware from Russia made up a full 30 percent of all the malware the company was detecting. Over the course of six months, the company uncovered a cottage industry that had grown up around producing and distributing Android malware.

The Scam

Lookout discovered that 10 organizations are responsible for about 60 percent of the Russian SMS malware out there. These were centered around "Malware HQs" which actually produces the malicious apps. Once downloaded, these apps make use of SMS shortcodes that bill victims via their wireless carrier. In the U.S., we often see these attached to charitable organizations like the Red Cross.

Here's how the scam works: The Malware HQ creates malicious applications that can be configured to look like just about anything. They also register and maintain the shortcodes with wireless carriers. Affiliates, or people working on the Malware HQ's behalf, customize the malware in and market it through their websites and social media.

Victims find the affiliates website or social media spam and download the malicious applications. Once on the victim's Android device, the malware sends out one or more premium SMS messages—usually costing the victim between $3 and $20 USD.

Because the Malware HQ owns the shortcodes, they get the money from the victim's carrier. They take a cut, and give the rest to the affiliates, who are apparently paid like normal employees based off their performance. Smith says Lookout observed some affiliates making $12,000 USD a month for over five months, suggesting that this is a lucrative and stable "business."

Huge in Scale and Complexity

It's a pretty straightforward scam, and probably the most direct way to make money with Android malware. What makes Lookout's discovery notable is the size and weirdly corporate nature of the operations.

The Malware HQ, for instance, has made it astonishingly easy to affiliates to customize the malware. Smith said that the Malware HQ produced several themes to make it easy for affiliates to customize the malware. "They can make it look like Skype, Google Play, anything to entice a user into downloading it and believing that it's real," said Smith.

Smith said that the malware HQ organizations were also pushing out updates and new code every one to two weeks "like any other agile startup." Many of these updates were designed specifically to evade security companies, even going so far as to "encrypt portions of the program that are decrypted before they're used."

On the other side of the operation, affiliates are highly engaged in their work but also fickle. There are, Smith said, forums and websites where affiliates compare the operation of different Malware HQs. Though regularity of payment was a major concern, customer service—basically, affiliate tech support—was critical. If the affiliates are unhappy with a particular Malware HQ, they'll migrate to a different one.

The Malware HQs go out of their way to make their affiliates successful, too. Smith says the ring leaders would motivate the affiliates with cash prizes for high performance—some as large as $300,000 USD. They even created advertising platforms for affiliates to provide better information about which scams were performing better in which regions.

The Silver Lining

While it's terrifying to see crime carried out on such a large scale, and with all the trappings of normalcy, there is some good news here. Readers in the U.S. can rest easy, since most of these scams use specific short codes that won't work outside Russia and the surrounding countries.

More importantly, Smith explained that by unraveling the full extent of this scam, they can provide better protection. "We are now able to tie back to their distribution," Smith said. The company can now apparently block more than just the code—which is frequently altered—but screen out servers, IP addresses, and other markers as well.

This won't stop the scammers outright. After all, if they're smart enough to modify their code then they're smart enough to know that the security companies are on to them. Yet Smith says that this could be a victory in the long run: "In order to make the changes they need to make, it will be costly to them."

And we know that going after the wallet is a great way to fight malware.

Click to see the full image



Further Reading

Security Reviews