For years, cyber criminals have organized their operations and traded resources through discussion forums and auction sites. One popular item to trade is access to virus infected PCs for cash. These trading schemes are often called pay-per install (PPI) programs. We have recently started an investigation on a new type of pay-per install program, this time threatening Android devices.
We began our investigation by looking at domain names and malicious files related to what appears to be a Russian web forum used by the cyber criminals for marketing and supporting their PPI scheme. The forum started operating at the end of 2011. From the information we could gather, actors who successfully install malicious software on Android devices get paid between 2 and 5 US dollars per installation. This is much higher than the typical price for Windows PCs. As shown in the image below, taken from the front page of this web forum, the administrators of this program have even prepared graphics to attract as many crooks as possible.
The software that is installed on Android devices is usually in the Android/TrojanSMS malware family. These malicious programs send SMS messages to premium rate numbers, bringing monetary profit to the malware operators. Our colleagues at Quickheal have blogged about one of these applications.
Methods for infecting Android devices are varied but usually involve distributing malware as cracked or pirated copies of popular commercial games. Phones or tablets then get infected when users search forums or alternative market places for popular games like Angry Birds, instant messaging clients, and so forth. The following figure shows the download page for one such trojan being distributed as a game.
So far, we have found thirty different domain names related to this operation. They have been used to distribute hundreds of malicious files. During our analysis, we saw twenty-three unique variants being distributed through more than 300 unique URLs. Most of the malicious samples we analyzed were pre-programmed to send SMSes to the following premium: 6666, 9999, 7375.
Here is a list of domain names which seem to be related to this operation:
The following file hashes are Android/TrojanSMS variants used in this operation:
This discovery, while not ground breaking, illustrates a disturbing trend in malware creation. Malware creators and operators are increasingly targeting mobile platforms as this device segment grows and attracts more users.
To protect your Android tablets and smartphones, you can use ESET Mobile Security for Android
Author Pierre-Marc Bureau, ESET