Dancing Penguins: a case of organized Android pay-per-install

For years, cyber criminals have organized their operations and traded resources through discussion forums and auction sites. One popular item to trade is access to virus infected PCs for cash. These trading schemes are often called pay-per install (PPI) programs. We have recently started an investigation on a new type of pay-per install program, this time threatening Android devices.

We began our investigation by looking at domain names and malicious files related to what appears to be a Russian web forum used by the cyber criminals for marketing and supporting their PPI scheme. The forum started operating at the end of 2011. From the information we could gather, actors who successfully install malicious software on Android devices get paid between 2 and 5 US dollars per installation. This is much higher than the typical price for Windows PCs. As shown in the image below, taken from the front page of this web forum, the administrators of this program have even prepared graphics to attract as many crooks as possible.

Promotion Page for Android Pay Per Install

The software that is installed on Android devices is usually in the Android/TrojanSMS malware family. These malicious programs send SMS messages to premium rate numbers, bringing monetary profit to the malware operators. Our colleagues at Quickheal have blogged about one of these applications.

Login Page

Methods for infecting Android devices are varied but usually involve distributing malware as cracked or pirated copies of popular commercial games. Phones or tablets then get infected when users search forums or alternative market places for popular games like Angry Birds, instant messaging clients, and so forth. The following figure shows the download page for one such trojan being distributed as a game.

Malware Posing as Android Game

So far, we have found thirty different domain names related to this operation. They have been used to distribute hundreds of malicious files. During our analysis, we saw twenty-three unique variants being distributed through more than 300 unique URLs. Most of the malicious samples we analyzed were pre-programmed to send SMSes to the following premium: 6666, 9999, 7375.

Here is a list of domain names which seem to be related to this operation:
android-programmy.ru
android-s.in
android-syst.ru
androidz-mix.ru
apk-fail.ru
cekc26.ru
download-site.in
faiil-apk.ru
faiiles.ru
fiileapk.ru
file-m-obi.net
file-mo-bi.net
filemifree.net
fileow68.net
flash-mobile-dl.ru
flashmobiledl.ru
free-mobile.in
herwekome.ru
htcffile.ru
htcfi1e.ru
htcfile.ru
inter4me.net
mobile-s.in
mobilgamesappsru.ru
nokialists.ru
operamlni.ru
qertys1016.ru
regimens.ru
regimens.ru.in
wwwmobiles.ru

The following file hashes are Android/TrojanSMS variants used in this operation:
18c86d12a7463a11836c581264b92893f840028f
1a840e11f615c251eff4c0f699258190a0496c60
1bd6556ebb463cff1d7afb5681e9e5886b636bab
3b5c5ae0131566c232ebf7a4f777b55e7ab53862
418258e490ecb1af13033193221b765f48492d42
50c2d3065ffdb6e4786fc8d4d73620da81af66c6
64efb1a181de3ffdb77b381cdf2185f74eb7cfe4
7196e9301282b74ed33ab565a07a31dee6f8243b
7444868a3f11597781583c368c22676c14259a64
74a90abf1915c6d0fe23e4cbe1cec2a53d759d03
8943d767e1d4f6fb3bfe28e64a417af2b00163cf
90771e904db0d30e4c2dc4efd625f8030d457aed
91c97cba1e545ac45a6f892ec20cbe440928ff50
955bf6367aa5629b5fa0f7fb6f54ebba8494f499
a49d56496662b03d4913af90865a59d0a40d61cf
b73eef29993b3803dafef4c784fd87e774a8bc62
d80f10df01b0527cd0859f7ee4e575ea7b770964
e63870a7850e226e2baed964d23b1de1c56aae63

This discovery, while not ground breaking, illustrates a disturbing trend in malware creation. Malware creators and operators are increasingly targeting mobile platforms as this device segment grows and attracts more users.

To protect your Android tablets and smartphones, you can use ESET Mobile Security for Android

Author Pierre-Marc Bureau, ESET

  • farid

    lol,all of them are russian.

    • Aryeh Goretsky

      Hello,

      Yes, Farid, this scam is heavily used in Russia and the CIS, but has also been seen in other parts of the world.

      Regards,

      Aryeh Goretsky

  • Atinder

    Hi,
     some of the files among these hashes are FakeAV's for windows like 0277d93a9c3d5c43511a2304c3b59861b7d5d97e34fa7a9c3d657bea2edc5dd6

    • Pierre-Marc Bureau

      Thanks for reporting this mistake. I have updated the list of file hashes to remove two entries which were referring to windows binaries.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
12 Sep 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.