Lookout Report Finds 10 Organizations Behind 60% of Russian Toll Fraud Malware

Investigation Uncovers Russian Malware Headquarters and Affiliates Responsible for 30% of Global Malware Detections in 2013

Def Con Hacking Conference

SAN FRANCISCO--()--The security researchers at Lookout, the leader in security technology, will share the findings of an investigation into Russian mobile malware today at the Def Con Hacking Conference in Las Vegas, Nevada. Lookout also released an in-depth report on the research: Dragon Lady: An Investigation Into the Industry Behind the Majority of Russian Malware.

In the report, Lookout investigates 10 Russian-based organizations, uncovering that the mobile malware industry in Russia has become highly organized and profitable. These malware businesses develop more than 60 percent of all Russian malware and have thousands of individual affiliate marketers and web properties advertising their malware.

Within the industry, Lookout identified distinct malware development and distribution businesses (i.e., Malware Headquarters) that have created online do-it-yourself (DIY) malware platforms so that just about anyone can distribute and profit from malware – no prior coding or technical experience required. The Russian Malware Headquarters leverage a large and highly motivated workforce of affiliates, who earn a share of the profit by marketing and distributing the malware. Affiliates use the malware platform to configure their own customizable, “Easy-Bake” malware applications. Lookout has evidence of the affiliates making up to $12,000 per month. Malware Headquarters handle the production tasks such as releasing new Android code and configurations every two weeks, malware hosting, shortcode registration, and marketing campaign management tools. Like any other large business, Malware Headquarters provide customer support, post regular newsletters, report downtime or new features, and even run regular contests to keep their affiliates engaged and motivated.

The malicious activity of choice for these organizations is toll fraud — malware designed to secretly make charges to a victim’s phone bill via premium SMS messages, often while providing nothing of value in return. The affiliates can customize their toll fraud malware so that it looks like the latest Angry Birds game or Skype app in order to lure in a potential victim. Affiliates then receive a link to their custom malware that they can distribute as they see fit; common distribution points include social media sites like Twitter. Lookout reviewed 250,000 unique Twitter handles and, of those, nearly 50,000 linked directly to these toll fraud campaigns. The victim of the scheme is usually a Russian speaking Android user looking for free apps, games, MP3s or pornography. The victim may have been using search engine or click through links in Tweets or mobile ads, then unwittingly download the malicious app which secretly adds a premium SMS charge to their phone bill.

Lookout has been actively tracking SMS fraud since the first example was found in the wild in August 2010. Over time, this specific collection of malware samples, which primarily targeted Russian users with toll fraud, became the largest percentage of Lookout’s total Android malware collection. More than 50% of Lookout’s total malware detections in the wild for the first half of 2013 were Russian-based toll fraud.

Over the past three years, Lookout collected a dataset of the Russian SMS fraud malware, which they’ve classified into individual groups or “families” based on similarities in code and key features. This dataset — when merged with Lookout’s threat intelligence dataset of malicious links, domains and social media accounts — gives the full context on the issue at hand. This in turn allowed Lookout to track individual malware families back to the responsible affiliates and Malware Headquarters. Creating more connections in the dataset allows Lookout to more closely track malware families in the future.

See the full report: Dragon Lady: An Investigation Into the Industry Behind the Majority of Russian Malware. For more information on Lookout, visit www.lookout.com.

About Lookout

Lookout builds security software that protects people, businesses and networks from mobile threats. Lookout created the world’s largest mobile threat dataset, and the power of 40 million devices proactively prevent fraud, protect data and defend privacy on personal and business devices, and networks. Lookout’s flagship consumer product, Lookout Mobile Security is available for Android, iOS and Kindle, and received the 2013 Laptop Editors’ Choice Award. A 2013 World Economic Forum Technology Pioneer company, Lookout has offices in San Francisco and London. For more information, please visit www.lookout.com.

Contacts

SutherlandGold for Lookout
Victoria Krammen, 415-848-7178
vkrammen@sutherlandgold.com

Release Summary

The security researchers at Lookout, the leader in security technology, will share the findings of an investigation into Russian mobile malware today at the Def Con Hacking Conference in Las Vegas

Sharing

Contacts

SutherlandGold for Lookout
Victoria Krammen, 415-848-7178
vkrammen@sutherlandgold.com