Android hackers honing skills in Russia
Sophos says they're starting in Russia, but will expand with success
By Antone Gonsalves
May 17, 2012 — CSO — The malware business growing around Google Android -- now the leading smartphone operating system -- is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers.
Sophos and Symantec on Wednesday released their latest Android malware discoveries written in Russian. While the language narrows the number of potential victims, the social-engineering tactics used to get Android users to install the malware is universal. The gang tracked by Sophos is using fake antivirus scanners, while Symantec is tracking cybercriminals using mobile websites to offer bogus versions of popular games.
Sophos says the criminals are like other entrepreneurs launching startups. They're starting in Russia, but have far greater ambitions. "I don't think we can say that they're necessarily using it as a testing ground -- think of it more as a local business that as it grows may gain multinational ambitions," Graham Cluley, senior technology consultant at Sophos, said in an email interview on Wednesday.
While criminals today are writing consumer-focused apps, it's only a matter of time before the hackers go after corporate data, particularly if the number of people accessing employers' networks with personal devices continue to grow, experts say. Android is the leading smartphone OS.
In the first quarter, 56% of the smartphones sold ran Android, compared with 23% with Apple iOS, according to the latest figures from Gartner.
The cyber scam tracked by Sophos was reported this week by GFI Lab, which discovered links to the bogus antivirus software on Twitter. Sophos dug deeper and found that the .ru domains pointed to the same Internet protocol address hosted in Ukraine.
When visited, the Web pages serve an Android .apk file that offers an AV scan. If activated, the scan installs an app that uses an icon to trick the victim in to believing it is from Russian security vendor Kaspersky Lab.
Instead of virus protection, the app sends expensive text messages to premium services that charge the Android user through their wireless providers. The malicious code also has the ability to download and install code from the internet.
Symantec's discovery involves the latest version of the Android.Opfake malware the vendor has been following for a while. In the past, the malware masqueraded as an installer for the Opera Web browser or a pornographic movie, and charged the user when either was downloaded.
The latest version is disguised as popular games made available through dummy sites that link back to a central back-end site that acts as a file generator or repository. Bogus versions of Fruit Ninja, SIMS 3, TempleRun and Angry Birds are used to disguise the malware.
Cluley expects these criminal enterprises to expand, once the founders are confident they can scam people in other countries. "What makes money in Russia today, could be used in attacks against American users tomorrow," he said.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.