March 6, 2013

An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.

An Underweb ad for Perkele

An Underweb ad for Perkele

I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece. Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain. The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that  is tied to a dedicated server.

Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.

This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised.

Perkele is designed to work in tandem with PC malware “Web injects,” malcode components that can modify bank Web sites as displayed in the victim’s browser. When the victim goes to log in to their bank account at their PC, the malware Web inject informs the victim that in order to complete the second, mobile authentication portion of the login process, the user will need to install a special security certificate on their phone. The victim is then prompted to enter their mobile number, and is sent an SMS or HTTP link to download the mobile malware.

perkeleillustrationOnce the victim has installed the mobile “security” app and verified it with a special supplied code, the app sends an SMS back to the malware kit’s license holder. Perkele also supports the removal of the mobile bot via SMS. Customers can purchase a single-use application that targets one specific financial institution for $1,000; the malware author also sells a “universal kit” for $15,000, which appears to be an SMS malware builder that allows an unlimited number of builds targeting all supported banks.

Of course, there are far more sophisticated mobile malware threats in circulation than anything Perkele could help dream up. Many variants of the cross-platform ZeuS-in-the-Mobile or Zitmo malware have emerged, but they are designed to work in tandem with a specific PC malware strain (ZeuS). What makes Perkele interesting is that is it can essentially be loaded as an add-on by virtually any financial malware family that supports Web injects.

Other recent mobile malware samples identified by Russian security firm Kaspersky make Perkele look like a child’s plaything. In particular, the company identified a new Android bot that masquerades as a “cleaner” app meant to free memory for Google’s operating system but which actually wreaks havoc on your smartphone in the background and on Microsoft’s operating system when it’s connected to a PC. Some of the features of this malware include the ability to turn on the microphone on the victim’s PC, enable Wi-Fi on the phone, and snarf all of the data from the phone’s memory card.

Say what you will about Apple‘s “closed” or “vetted” iTunes store for iPhone apps, but it seems to do a comparatively stupendous job of keeping out malicious apps.  Last year, malware on smartphones increased more than 780 percent over 2011, according to a Kaspersky report released last month. The company found that 99 percent of the mobile malware targeted Android devices. During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to 6,300 programs. The largest category of mobile malware last year was SMS trojans that hid in fake apps and links, and could drain bank accounts.

Fortunately, a modicum of common sense and impulse control can keep most Android users out of trouble. Take a moment to read and comprehend an app’s permissions before you install it. Also, make sure you download apps that are scanned through Bouncer (Google’s internal malware scanner). Finally, do a bit of due diligence before installing an app: Would you randomly grab some Windows program and install it without learning something about its reputation, how long it had been around, etc? Hopefully, no. Treat your phone with the same respect, or it may one day soon no longer belong to you.


36 thoughts on “Mobile Malcoders Pay to (Google) Play

  1. Dan Bourquard

    Okay, so the next question is, what AV or Anti-malware apps are there for the ‘Droids?

    1. JCitizen

      Avast has had an Android mobile AV for a while – hopefully it works on your version.

  2. JayW

    I have a AVG antivirus on my android. Is it effective in your opinion?

    1. brian krebs

      I suppose it’s better than nothing, and there are several It certainly can’t hurt, unless it gives the user a false sense of security. Here’s why I say that: As we’ve seen in the desktop AV space, many users take an all-clear AV scan of a file as gospel that it is okay to install, even when they know next to nothing about where the file came from or its reputation. I guess my thoughts on this are summed up in the post at the following link, which isn’t about mobile malware but rather about how many people use AV as a proxy for due diligence and common sense.

      http://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

      1. Ranget

        and who’s fault is that

        all of the computer users trust their AV because of what huge hubris
        most companies show
        it’s not their fault it’s the media fault

  3. Kiaser Zohsay

    > Some of the features of this malware include the
    > ability to turn on the microphone on the victim’s PC,
    > enable Wi-Fi on the phone, and snarf all of the data
    > from the phone’s memory card.

    Its been a long time since I’ve seen the word “snarf” used in proper context. Thanks for that.

    kz

  4. john senchak antihotmail.com

    You can say what you want, but Android users will continue to download this crap without any thought of it’s intended purpose. The problem is that most people are not computer literate enough to understand the concepts of malware and social engineering.

    J.S.

  5. Nicholas Weaver

    “Take a moment to read and comprehend an app’s permissions before you install it.”

    This is the biggest flaw in Android: The Blame the User permissions model.

    With iOS, you have Apple’s nazgul, err, lawyers and limited API (apps can’t dial the phone or access SMS messages) protecting you, and what few prompts occur happen on first use, so users can meaningfully make a decision and have already established that the app can run.

    With Android, the only thing really protecting the user is a huge permissions blob that all but an expert has no hope of decoding, and its all or nothing: either the app runs or it doesn’t.

    They really really need to change this to shift a lot of scary permissions (SMS, phone dialing, private data access, etc: all the stuff the malcode really needs to do) into “prompt on first use”.

    1. BrianKrebs Post author

      Can’t argue with any of the points you made, there, Nicholas. You’re absolutely right, IMHO. It’s the same thing with privacy policies, only this time it’s apps.

    2. pboss

      It’s actually worse, in that the app permissions aren’t confusing, but instead are so terse and broad that you don’t have any idea what the app is planning to do at all. In fact, the whole app permissions blob is useless from a properly paranoid user POV.

  6. Vee

    Well, then again, when did phones just have to have all this app garbage anyway? Why can’t they just be phones that work great as phones?

    Sure, you’d still have Android for tablets, but generally, this app junk is junky anyway.

    1. Rabid Howler Monkey

      Smartphones (and tablets) are personal computers, only much more personal than desktops and laptops. Don’t blink too fast or you might miss Apple’s iWatch and Google’s Glass.

      People are using their Android devices for finances, both personal and business. As an example, Intuit now has Mobile Banking, QuickBooks, GoPayment and bMobile NOW Pro mobile apps for Android.

      Brian’s recommendations apply equally to Android tablets as they share the same app store, Google Play. A pity if Brian has to do with Android what he has done with Windows with regard to online banking.

        1. Vee

          The fact you can even do bank things on those toys scares me.

        2. nikol

          security is really a bunch of people getting together and deciding wtf is safe…. on the internet, androids seem easy prey… and people walk of of their padlocked houses everyday with nothing protecting them but a pieces of glass… that said i will be extraordinarily careful to download any apps.period…and also web-browser plug-ins

  7. Mark

    Anybody have a link to the actual Kaspersky report? The link in the article just takes you to another article that only mentions the report. I have not been able to find this report on Kaspersky’s web site.

  8. yirg

    Brian, did you contact google re this? (Did I miss this in the article?)

  9. Rick Zeman

    Brian says: “Also, make sure you download apps that are scanned through Bouncer (Google’s internal malware scanner).”
    Rick says: “Huh? How on earth is Joe User supposed to know that?”
    It’s bad enough to navigate the permissions model as mentioned above (I’ve always thought the developer should have to say WHY they need that particular functionality), but for the user to try and figure out what malware scanners have been used? If you’re trying to say that any app in Google Play has been scanned with Bouncer, it’d be clearer to say “only get apps from Google Play.”

    I dumped my Android in favor of an iPhone precisely because of this, and the lack of security patches from the vendors.

  10. Annemarie Hut

    I suppose someone wants to earn money by selling security apps on Android (they won’t be trying to sell it on iOS, because that’s a closed system).

    Read this article: http://appleinsider.com/articles/13/03/05/ios-apps-leak-more-personal-data-than-do-android-apps—report

    The matter is not so much (or at least not only) bad bad malware on Android, but even worse privacy infringement on iOS. iOS users can’t see what permissions they give, so they won’t be able to check if an app reads all their contacts (for instance). Speaking of social engineering.

    As for sms and ING. You won’t be able to hack into an account with that sms only. You’d need someone’s login name and password too. True, it’s getting close to dangerous tough. (BTW, does anyone really still use the ING website a lot since the mobile app?)

    1. Neej

      I can’t work out if your one of these fanboi types that turns into a raving idiot at the mention of their particular brand/device/software and/or it’s hated competitor.

      You seem seem absurdly ignorant of how Apple and Google application ecosystems operate.

      Also you seem to think privacy leaks – which BTW Google has an appalling record on – are worse than having money stolen.

      Android has a real world problem with malicious software which is orders of magnitude larger than Apple.

      1. Annemarie Hut

        Excuse me, who’s talking? (Neej?)

        My point is that people make money with selling security by pushing fear upon us. “It’s the marketing stupid!”

        In the article above Kapersky is mentioned twice in the part that describes the worst of the worst of security flaws. What is that? A hint?

        1. SeymourB

          You remind me of certain people who frequent the Apple Support Community forum, who insist there are no viruses for OS X, and that reports of malware (e.g. Flashback) are complete fabrications by antivirus companies. And, of course, I was a liar/paid shill for saying I was removing dozens of Flashback infections each week.

          No offense intended, really, you just both seem to have the same schtick. Struck me as… ironic.

    1. JCitizen

      I agree, except I’m not particularly attracted to him! HA! 😀

  11. Ben

    Hi Brian

    Thanks for this excellent article. Do you have a sample of the PC malware? I am working for one of the mentioned banks and I would like to test if it really works.
    Thanks and Regards
    Ben

  12. Ranget

    anyway general thought

    internet is becoming harder each day on the normal people
    a lot of people have hard time operating the computer in the first place

    i can’t expect my grandma to have a simple idea on how to secure here computer beside using an AV and i don’t expect that to change

  13. Ronald

    Two factor authentication based on sms tokens is not that safe anymore. Back to hardware tokens…

  14. RR

    What’s the current state of android “drive by” attacks? Obviously there are remotely exploitable apps (Flash), but all we hear about is users installing malware from app stores.

    1. TJ

      Very good question.

      And as pointed out this week at Pwn2Own, all of the successful browser and plugin exploits required navigation to a malicious site.

  15. wasa

    one thing attackers have not figured out (or used) yet is that they don’t need user interaction to push Google Play apps on to victims’ phones once the pc browser is compromised. That’s because from the web browser, a logged user can install apps on his phone without further confirmation on the phone 🙂 This is real cool for usability… but I imagine this will be used in the next version of Zeus malware.

  16. wasa

    one more thing, I totally agree with Nicholas Waver, permission model simply does not work. “Fortunately, a modicum of common sense and impulse control can keep most Android users out of trouble”. This statement is the usual advice given by computer scientists. If you were to buy (and eat) different pharmaceutical pills each day, would you be able to tell the good from the bad without VERY good knowledge of chemistry and human body? Certainly not. This is exactly what happens to users… This is confirmed by studies (http://www.cs.berkeley.edu/~afelt/felt-androidpermissions-soups.pdf): 17% of users pay attention to permissions, 3% really understand them. Users don’t buy phones to “waste” their time reading boring stuff, they want to play games, connect with their friends and have fun. Call it “selective attention”, distraction or something else, you cannot change the human mind.
    Also, the same app tends to increase the number of required permissions over time (http://www.cs.ucr.edu/~neamtiu/pubs/acsac12wei.pdf). Maye because developers add features to their apps over time? Anyway, the line between “good app because few permissions” and “bad app because lots of permissions” becomes blur… that won’t help us 🙁

  17. Richard Steven Hack

    All this mobile malware business strikes me like the early “freeware” and “shareware” days. Or even today, for that matter.

    That is, there are tons of “free stuff” on the Internet, most of which is either adware or spyware or outright malware. Then there’s some really good free stuff that isn’t.

    Only smart users can distinguish between freeware and shareware offered by respected download sites like Major Geeks and FileHippo and crap downloaded from many, many other “free software” sites.

    The mobile app infrastructure needs someone like MajorGeeks to test and verify apps. Then the people selling phones need to recommend to all buyers in big letters to only deal with such established sites.

Comments are closed.