An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.
I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece. Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain. The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that is tied to a dedicated server.
Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.
This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised.
Perkele is designed to work in tandem with PC malware “Web injects,” malcode components that can modify bank Web sites as displayed in the victim’s browser. When the victim goes to log in to their bank account at their PC, the malware Web inject informs the victim that in order to complete the second, mobile authentication portion of the login process, the user will need to install a special security certificate on their phone. The victim is then prompted to enter their mobile number, and is sent an SMS or HTTP link to download the mobile malware.
Once the victim has installed the mobile “security” app and verified it with a special supplied code, the app sends an SMS back to the malware kit’s license holder. Perkele also supports the removal of the mobile bot via SMS. Customers can purchase a single-use application that targets one specific financial institution for $1,000; the malware author also sells a “universal kit” for $15,000, which appears to be an SMS malware builder that allows an unlimited number of builds targeting all supported banks.
Of course, there are far more sophisticated mobile malware threats in circulation than anything Perkele could help dream up. Many variants of the cross-platform ZeuS-in-the-Mobile or Zitmo malware have emerged, but they are designed to work in tandem with a specific PC malware strain (ZeuS). What makes Perkele interesting is that is it can essentially be loaded as an add-on by virtually any financial malware family that supports Web injects.
Other recent mobile malware samples identified by Russian security firm Kaspersky make Perkele look like a child’s plaything. In particular, the company identified a new Android bot that masquerades as a “cleaner” app meant to free memory for Google’s operating system but which actually wreaks havoc on your smartphone in the background and on Microsoft’s operating system when it’s connected to a PC. Some of the features of this malware include the ability to turn on the microphone on the victim’s PC, enable Wi-Fi on the phone, and snarf all of the data from the phone’s memory card.
Say what you will about Apple‘s “closed” or “vetted” iTunes store for iPhone apps, but it seems to do a comparatively stupendous job of keeping out malicious apps. Last year, malware on smartphones increased more than 780 percent over 2011, according to a Kaspersky report released last month. The company found that 99 percent of the mobile malware targeted Android devices. During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to 6,300 programs. The largest category of mobile malware last year was SMS trojans that hid in fake apps and links, and could drain bank accounts.
Fortunately, a modicum of common sense and impulse control can keep most Android users out of trouble. Take a moment to read and comprehend an app’s permissions before you install it. Also, make sure you download apps that are scanned through Bouncer (Google’s internal malware scanner). Finally, do a bit of due diligence before installing an app: Would you randomly grab some Windows program and install it without learning something about its reputation, how long it had been around, etc? Hopefully, no. Treat your phone with the same respect, or it may one day soon no longer belong to you.