Android And BlackBerry Malware Selling For Thousands On Dark Web

A dealer on the Internet underground is selling mobile malware that works on various operating systems for as much as $15,000, TechWeekEurope has learned.

The seller, calling themselves and their Trojan ‘Perkele’, offers both Regular and Lite versions of the malware, as well as customisation and support options, according to posts on a dark web forum that was passed on to TechWeekEurope.

The malware, which appears on phones as an application, works on Android, BlackBerry and Symbian, the dealer claims. The Perkele Lite option is for Android only. Noted security researcher and blogger Brian Krebs and security firm F-Secure picked up on the Android kits available on other underground forums earlier this week, indicating the seller is hitting up a number of markets.

The rogue apps pose as official banking applications. Both are designed to intercept SMS messages that banks send to customers as the second factor in an authentication process. This is not a new tactic, but the price of the malware and the services it offers hints at a trend – that hacking-as-a-service for mobile is growing in prominence.

Mobile malware scare

By working alongside web-injecting PC malware, the apps assist those carrying out man-in-the-browser attacks. Once the PC Trojan has modified a banking site and tricked the user into handing over their login details, it asks them to install Perkele, which picks up the special code sent by the bank. That gives the attackers the keys to the target’s bank account.

A number of malicious mobile apps have been seen doing similar things in recent months, including Carberp and the mobile version of Zeus, Zitmo.

One of the pre-set options of Perkele, where the application templates and design have already been created, is aimed at a major global bank operating in the UK. TechWeekEurope has chosen not to reveal the name of the bank at the request of our source. Krebs, however, has noted customers of Citibank, HSBC and ING were being targeted.

As well as offering to buy verified developer accounts at Google Play for $100, Perkele sold various packages for their mobile malware, including 10 versions of the Trojan targeting whatever financial institutions the buyer wants for $15,000. With that option, Perkele offered to design the malicious apps and their functions.

If the buyer wants to run their own design, they only need to pay $8,000. Support was also offered for eight hours a day, whilst Perkele said they were taking orders for any malicious mobile apps on any OS, but did not go into specifics.

High investment for high returns

Security researchers noted the high price of Perkele,  but the returns may well be worth it for the attackers. The emergence of expensive mobile Trojans on the underground hints at a maturing of the hacking-as-a-service market.

“A new breed of consolidators is emerging. They amalgamate vulnerabilities and offer a one-stop-shop for those seeking the latest malware for use in criminal endeavours,” said Professor Alan Woodward, from the Department of Computing at the University of Surrey.

“This newer purveyor of fine malware is able to charge a premium just like in any other market because they are providing access to items that the buyers would not otherwise know either where to locate it, or how to deploy it.

“In many ways it is a perfect market in that the price will find its own level.”

Raj Samani, EMEA CTO for security giant McAfee, told TechWeekEurope the hacking-as-a-service industry “is where it’s at now”. “Why risk doing it yourself? Just sell it on,” he said.

“It’s not just us who are seeing more of this, where cyber criminals are enabling other people to conduct criminal activity. This will increase the volume of attacks we will see.

“But this [Perkele] is priced way higher than anything I’ve seen.”

Android continues to be the main target for mobile malware in general. McAfee reported last month that it found that 75 percent of the malware-infected apps downloaded by McAfee Mobile Security users came from the official Google Play store.

According to F-Secure’s Mobile Threat Report released last week, the Google OS was the target of 79 percent of all mobile malware the security firm saw in 2012, up from 66 percent in 2011.

Symbian malware has seen its share drop to 19 percent, from 29 percent in 2011, as hackers pick up on the fact that the OS is declining rapidly in popularity.

Meanwhile, worries over worms that propagate through near field communications (NFC) are growing, where attackers rely on proximity – a process McAfee is calling “bump and infect.”

Some have claimed mobile threats have been overhyped by vendors in recent years. Yet in 2013, the landscape is starting to look considerably more concerning than it was before.

Are you a security expert? Try our quiz!