DEF CON: 30 Percent Of Mobile Malware Made By 10 Russian Firms

Almost a third of all mobile malware is made by just 10 organisations operating out of Russia, a security company has claimed.

These “malware HQs” are pumping out nasty toll fraud apps, largely aimed at Android users, which force the user to call premium rate numbers, said Lookout Mobile Security.

It followed the money all the way back to these ten organisations, discovering thousands of affiliate marketers are also profiting from the scheme, helping spread the malware by setting up websites designed to trick users into downloading seemingly legitimate apps.

These affiliates, who can make up to $12,000 a month, are heavy users of Twitter too. Lookout looked at 500,000 unique Twitter handles it believed were involved in spreading mobile malware, 247,863 of which were linking directly to malicious kit from the micro-blogging platform.

Mobile malware crackdown

“We are not too fond of their activity,” co-founder and CTO of Lookout, Kevin Mahaffey, told TechWeekEurope earlier this week, ahead of the report’s release at the DEF CON 21 conference in Las Vegas.

“We cannot comment on ongoing investigations with law enforcement. But we are very motivated to get them to stop.”

Ryan Smith, senior security engineer at Lookout, said the malware HQs had gone to great lengths to obfuscate and encrypt their code to make detection tricky. Yet many advertise in the most brazen of ways on the public Internet, as seen in the images below:

These malware factories pump out the tools that let the affiliates create custom malware to their liking, meaning they don’t require much technical nous. The main skill they require is web development and a knack for phishing, creating pages that look like the Google Play market itself, or ones that link to updates for popular software, like Skype or Opera:

The next step is to organise massive advertising campaigns over Twitter, getting users to download the app, which starts sending texts without the users’ permission to premium rate numbers. The affiliates take the money, some of which gets invested into more malware.

Whilst Lookout isn’t divulging the names or whereabouts of the original malware sellers, other than saying they’re based in Russia, it continues to monitor the operation, which it has called Dragon Lady. “We have cast a wider net around these organisations,” Smith added. “We are monitoring domains used by the affiliates and malware HQs.”

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago