The Ugly Truth About Mobile Security 2: premium-rate numbers affiliate networks

Read previous: The Ugly Truth About Mobile Security: Mobile malware and SMS Trojans

What is the core reason for the Russian mobile cybercrime’s flourishing? To address this point, Denis Maslennikov explains in detail how a typical SMS Trojan scheme works, and how little it actually takes to register with an affiliate network of that kind and start benefiting from malicious activities. The speaker also outlines the profit issue and the probable future of mobile crime.

The root of all evil

So, I’ve tried to briefly describe the evolution with specific examples, and now let’s go to the root of all this evil and see how Russian mobile cybercriminals actually work.

Interpretation of Konov SMS Trojan's manifest file

Interpretation of Konov SMS Trojan's manifest file

The main question of the presentation is still unanswered: why are Russian mobile cybercriminals the happiest ones in the world? Let’s go back to the Konov manifest file (see image). You can see premium-rate numbers and SMS texts there. 10 or 6 dollars per SMS is a normal situation. And, you know, in Russia mobile operators usually act as owners of the premium-rate number. Well, there are such organizations like content providers. They were created to provide rental services for as many people and as many companies as possible.

So, what about ‘epbox 1290’? We can divide this, let’s say, prefix, or SMS text into 2 parts: Renter and Subtenant. The main renter leases ‘epbox’ prefix on the premium-rate numbers 4460 or 5537 from content provider and offers subtenancy services for ‘epbox 1290’ renter.

Hierarchy of ‘epbox’ distributors: renters and subtenants

Hierarchy of ‘epbox’ distributors: renters and subtenants

But who are ‘epbox’ and ‘epbox 1290’ renters? Our ‘epbox’ renter is an affiliate network owner, and ‘epbox 1290’ Renter is one of the many affiliates. Beside ‘epbox 1290’ renter, we can also find ‘epbox M’ subtenant or ‘epbox N’ subtenant – they can also participate in this affiliate network.

And for example, ‘epbox N’ subtenant can offer legal services. For example, the user sends an SMS with the text ‘epbox N’ to the premium-rate number 4460 – and he will receive, for example, a link to download a legal game. ‘epbox M’ subtenant acts like this: if the user sends an SMS with the following text he will receive, say, a link to a .JPEG file. And ‘epbox 1290’ is our mobile cybercriminal.

Affiliate network registration form

Affiliate network registration form

So the root of all evil is here – it’s the affiliate network registration form (see image). For example, if I have very nice photos of San Francisco or New York, or Moscow, I can sell them. I can register with the affiliate network and try to sell my photos with the help of premium-rate SMS messages.

If I want to register there I must provide the following information: my name, my email, my website URL where I will post my pictures, website name, and Webmoney account. Webmoney is a Russian electronic money payment system; for instance, if I sell 10 pictures at 10 dollars each, the money will go to my Webmoney account.

In other words, after the registration I will receive my affiliate ID like ‘epbox 1290’ or ‘epbox M’, or something else. And I think you have already noticed that I provide no sensitive data at all. I don’t need to send them the scan of my passport or confirm my identity, or something else. It means that I can act absolutely anonymously. So, that’s the root of all the evil. In Russia it is possible to rent special text or prefix on premium-rate number absolutely anonymously.

Adult affiliate website distributing SMS Trojans

Adult affiliate website distributing SMS Trojans

The biggest part of the affiliate websites are porn sites. Porn was always very close to malware in general. This is an example of a typical affiliate website (see image). You can see several porn thumbnails which offer users to download 3gp or mp4 porn videos.

But what is going to happen in reality if the user clicks on one of these links? The user will be redirected to a remote server which checks the referrer and correlates it with the affiliate ID. After that, a JAR1 constructor which works on the web server will generate an SMS Trojan with the affiliate ID, and the web server will return this SMS Trojan as a porn video to the user. Unfortunately there are thousands of such websites on the web, and almost all of them do spread SMS Trojans that way.

How much do they make?

And now, let’s answer the second main question: how much do they make? But first of all we must see how the revenue is shared between persons and organizations in the following scheme.

Revenue sharing scheme

Revenue sharing scheme

So, let’s say we have an infected phone, and the phone is infected by SMS Trojan, and this SMS Trojan sends an SMS. Mobile operator will take from 31% to 50% of the cost of the SMS. Content provider will take from 1% to 5% of the cost of the SMS. And finally, the affiliate network owner will take from 1% to 5% of the cost of the SMS. And in the end, the affiliate who actually created this SMS Trojan and spread it will earn from 40% to 67% of the cost of the SMS. So it means if an SMS costs, say, 10 dollars, the affiliate will earn from 4 to 7 dollars from each SMS message.

'Perlag' affiliate network fined: the income calculation

'Perlag' affiliate network fined: the income calculation

Some time ago, I found a very interesting screenshot which opened very interesting secret information from one of the largest mobile affiliate networks. I don’t know how but the information was available in public sources. And the screenshot shows us that this affiliate network was fined by content provider (see image). And the fine was equal to 25% of the weekly revenue of the affiliate network: 1.6 million rubles, or 53,000 dollars. We can estimate the weekly income: it equals to approximately 212,000 dollars, and the monthly income equals to 850,000 dollars. I told you earlier that affiliates will earn at least 40% of the cost of the SMS. What does it mean? It means that Perlag affiliates cause serious financial damage, which is equal to at least 1.2 million dollars per month.

This turned out to be a ‘death penalty’ for Perlag – some time after this screenshot became available, this affiliate network was closed and gone.

And now, I would like to summarize everything we talked about, and let’s see today’s situation in general. Today we have a lot of SMS Trojans for Java 2 Micro Edition platform, for Symbian platform, for Windows Mobile platform, for Android platform, and some of them became really complicated. Cybercriminals are organized now, and such organizations as affiliate networks help them in their so called ‘e-business’. And unfortunately all of them are still unpunished, so that is probably why they feel safe and continue their activities.

I think that you would also agree that all antivirus vendors have problems with detecting Java 2 Micro Edition Trojans on simple mobile phones. In fact, we cannot detect them because it is impossible to create an mobile antivirus for Java 2 Micro Edition platform and simple cell phones.

Today and tomorrow

And today, only Russia and some CIS2 countries are targeted by these activities and by SMS Trojans. The only reason of that is legislation loopholes, which allows cybercriminals to rent premium-rate numbers absolutely anonymously. If the situation is not changed, we will be seeing absolutely the same thing.

Affiliate website providing premium-rate numbers

Affiliate website providing premium-rate numbers

The potential targets of mobile cybercrime are a questionable issue. Why? Not so long ago, on one of the affiliate websites I found the following information about the premium-rate numbers and the cost of each SMS to premium-rate numbers (see screenshot). We can find there some Russian premium-rate numbers, Ukrainian, Kazakhstani, and even Latvian, Lithuanian, Estonian, and maybe even German premium-rate numbers.

And one more content provider allows us to rent U.S. premium-rate numbers from Russia absolutely anonymously. So, we have already seen other types of malware which uses U.S. premium-rate numbers, and this malware was created by Russian cybercriminals and was spread in the U.S. Fortunately, we have not seen mobile malware, but in some cases it is only a matter of time.

So, what should we do in this situation? I think, except detecting mobile malware and providing antivirus database updates, we must surely force some legislation changes in certain countries. In my opinion, mobile cybercriminals are the same cybercriminals – and they must also be punished. And surely, we must educate users and provide more user awareness of this problem.

And again, as a summary: SMS Trojans target mostly single users, not enterprises surely. Social engineering is exploited to a large extent by cybercriminals. In most cases, threats are really easy to remove – sometimes you can go to the phone menu and simply press ‘Delete’ button. And one very positive note is that mobile operators always refund the money if malicious SMS messages were sent. So for example, if you were infected by an SMS Trojan and you somehow noticed that, and the SMS messages were sent, you should write a complaint letter to the mobile operator, and you will get your money back.


1JAR (Java ARchive) is an archive file format typically used to aggregate many Java class files and associated metadata and resources (text, images and so on) into one file to distribute application software or libraries on the Java platform.

2CIS (Commonwealth of Independent States) is a regional organization whose participating countries are former Soviet Republics, formed during the breakup of the Soviet Union.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: