Mobile virus writers pay to Google Play
Banking customers are the target of a new Android malware package seeking to infiltrate the Google Play store. Photo: Getty Images
An explosion in mallicious software -malware - targeting Android smartphone users is being fueled in part by a budding market for mobile virus creation kits, as well as a brisk market for hijacked or fraudulent developer accounts on Google's app store Google Play that can be used to disguise malware as legitimate apps for sale.
I recently encountered an Android malware developer on a semi-private underground forum who was actively buying verified developer accounts at Google Play for $US100 apiece. Google charges just $US25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain. The buyer in this case was offering $US100 for sellers willing to part with an active, verified Google Play account tied to a dedicated server.
The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones
Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of the Commonwealth Bank, Westpac, Citibank, BankWest and ING Direct in Australia, as well as 64 other financial institutions in the US, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.
This bot kit — dubbed "Perkele" by a malcoder who goes by the same nickname ('perkele' is said to be a Finnish curse word for "devil" or "damn") — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele's malware, it appears quite popular and to perform as advertised.
Perkele is designed to work in tandem with PC malware "web injects", code components that can modify bank websites as displayed in the victim's browser. When the victim goes to log in to their bank account at their PC, the malware web inject informs the victim that in order to complete the second, mobile authentication portion of the login process, the user will need to install a special security certificate on their phone. The victim is then prompted to enter their mobile number, and is sent an SMS or HTTP link to download the mobile malware.
Once the victim has installed the mobile "security" app and verified it with a special supplied code, the app sends an SMS back to the malware kit's licence holder. Perkele also supports the removal of the mobile bot via SMS. Scammers can purchase a single-use application that targets one specific financial institution for $US1,000; the malware author also sells a "universal kit" for $US15,000, which appears to be an SMS malware builder that allows unlimited variations targeting all supported banks.
Of course, there are far more sophisticated mobile malware threats in circulation than Perkele. Many variants of the cross-platform ZeuS-in-the-Mobile or Zitmo malware have emerged, but they are designed to work in tandem with a specific PC malware strain such as ZeuS. What makes Perkele interesting is that is it can essentially be loaded as an add-on by virtually any financial malware family that supports web injection.
Other recent mobile malware samples identified by Russian security firm Kaspersky make Perkele look like a child's plaything. In particular, the company identified a new Android bot that masquerades as a "cleaner" app meant to free memory for Google's operating system but which actually wreaks havoc on the smartphone in the background and on Microsoft's operating system when it's connected to a PC. Some of the features of this malware include the ability to turn on the microphone on the victim's PC, enable wi-fi on the phone, and snarf all of the data from the phone's memory card.
Say what you will about Apple's "closed" or "vetted" iTunes store for iPhone apps, but it seems to do a comparatively stupendous job of keeping out malicious apps. Last year, malware on smartphones increased more than 780 per cent over 2011, according to a Kaspersky report released last month. The company found that 99 per cent of the mobile malware targeted Android devices. During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to 6300 programs. The largest category of mobile malware last year was SMS trojans that hid in fake apps and links, and could drain bank accounts.
Fortunately, a modicum of common sense and impulse control can keep most Android users out of trouble. Take a moment to read and comprehend an app's permissions before you install it. Also, make sure you download apps that are scanned through Bouncer (Google's internal malware scanner).
Finally, do a bit of due diligence before installing an app: Would you randomly grab some Windows program and install it without learning something about its reputation, how long it had been around, etc? Hopefully, no. Treat your phone with the same respect, or it may one day soon no longer belong to you.
- Android overtakes Apple in Australia
- Security risk for millions of Android phone users
- Android apps leaking personal, banking details