Kaspersky Lab’s Senior Malware Analyst Denis Maslennikov speaks at RSA Conference about the mobile side of the Russian cybercrime. Maslennikov outlines the prevalent techniques applied for scamming users, describing modifications of SMS Trojans and explaining how they work.
Hello, my name is Denis Maslennikov, I work for Kaspersky Lab as the Senior Malware Analyst, and today we are going to talk about Russian cybercrime and Russian mobile cybercriminals.
This research demonstrates one really interesting point: Russian mobile cybercriminals are probably the luckiest ones in the world. Why? Well, most people today are not aware of mobile malware, and legislation loopholes really help bad guys take advantage of the laws and profit from illegal activities.
This presentation will cover all aspects of mobile malware evolution and mobile malware industry in Russia. Also, we will estimate the losses caused by mobile malware and try to look into the future with and without various changes.But first of all, let’s start with the evolution of the SMS Trojans and mobile malware industry. The following diagram (see image) represents the ratio between the total number of mobile malware modifications found by Kaspersky Lab and Trojan-SMS modifications.
What is a Trojan-SMS program? It’s a malicious application which was created for sending SMS messages to premium-rate numbers. For example, if the Trojan sends one SMS it can cost you 5 or 10 USD.
And you can see that this behavior of SMS Trojans has been dominating since January 2008 till the current moment.
Cybercriminals understood that the SMS Trojans are the easiest and the most profitable source of income due to direct access to the phone bill and unawareness of people.
The evolution of SMS Trojans can be divided into three big parts. The first year of Trojan-SMS evolution was characterized by primitive Java 2 Micro Edition (J2ME)1 SMS Trojans. These are primitive applications without any kind of complication or social engineering tricks, or something else.
The second period was characterized not only by J2ME Trojans, they became more advanced, so they started to use some social engineering tricks, some kind of encryption in some cases. And also, we started to discover Symbian and Windows Mobile malicious applications.
And the last one, the third period which still continues can also be characterized by, again, advanced Java 2 Micro Edition Trojans and complex Symbian and Windows Mobile Trojans.
I will describe all these three steps now.Let’s start with the primitive. Malware family named ‘Konov’ was one of the first widespread SMS Trojans. It can be characterized by very small size from 1 to 8 Kb. There was no encryption, no social engineering tricks. And all the information which is required for SMS sending was stored in the manifest file. So you can see there are 5 premium-rate numbers and there are 5 SMS texts.
This Trojan was mostly spread in the Russian social network named ‘Vkontakte’ (in contact). Sometimes, people receive different spam messages in social networks, and in this case there were spam messages which asked the users to click the link and go to a website telling them that if they clicked another link and downloaded special software for mobile phone, they would be granted 500 Rubles (15 USD) bonus. But in fact, this message won’t give you any kind of bonus but will only send expensive SMS messages.This Trojan was really primitive. And the next one named ‘VScreener’ demonstrates how cybercriminals started to create more sophisticated malicious applications. This malware poses itself as a faulty video player. And this player must be ‘tuned’ by the user. The tuning can be done by pressing the left soft key.
There is one aspect in J2ME SMS Trojans – the majority of modern simple mobile phones do support J2ME technology, but this technology is a bit restricted. So for example, if the application is trying to connect to a URL or send an SMS message, or dial a number – the Java machine will notify the user by showing a message on the screen that for example: “This application wants to send an SMS message, would you allow it or not?” The user must then press ‘Yes’ or ‘No’.
This malicious application sends these expensive SMS messages during the ‘tuning’. So imagine the situation when the user is pressing the left soft key, he starts to see some kind of picture of a very cute lady, and at the same time this Trojan will try to send SMS messages, which the user will confirm by left soft key quick pressing. And besides, this premium rate number and the SMS text are stored in load.bin file and were encrypted with ADD and ‘0xA’ key.So, we talked about J2ME Trojans, now let’s move on to smartphone malicious applications. I think some of you may remember the story of Symbian signed malware, the first example of which was a worm named ‘Yxe’. It became the first application of this kind which was signed by a valid certificate, and the Lopsoy Trojan was also signed by a valid certificate.
During the research, I found the website of the probable author, and his article which fully describes the logic of how this Trojan works. You know, a few days after adding the detection of this Trojan, I found the Twitter account of this probable Trojan author, where he wrote: “Because of this article they’re saying I’m a virus writer. Even though anyone could see that my goal was only to warn people.” But I don’t think that it is a good idea to warn people by creating malicious applications.
Lopsoy became the first SMS Trojan which connects to the author’s URL in order to download the information. In this case, this Trojan was trying to download an SMS text and premium-rate number from the website. So for example, if cell mobile operators noticed that this SMS text and this premium rate number were used illegally – they could block it, but in this case the author can rent another premium-rate number and another SMS text, update the information on the website and the Trojan will continue its work.
Another example of how this Trojan was spreading – we found a lot of smartphone games websites which were able to define the User Agent of the browser the user was surfing from. And for example, if the user was surfing the Internet with his mobile phone, they would display on the screen of the mobile phone the optimized page of the website.Another example of a Windows Mobile Trojan was also able to connect to the URL and download information for SMS sending. But in our case it was trying to download an XML2 file, and some parts of this XML file were encrypted. You can see some strange letters between the tags ‘phone’ and ‘interval’. Well, inside the body of the Trojan we found the following table (see image), and this table was used by the Trojan in order to decrypt and retrieve the information about the premium-rate number and the interval between each message.
This Trojan was also spread through different fake websites, but in this case these were PDA application websites. So for instance, the user was searching for some kind of free software for his Windows Mobile smartphone, and somehow he visited the following website. In this case, he will download a KB archive with the application inside, maybe legal, but at the same time there will be an executable file with the Trojan body in the KB archive.
1 – Java 2 Micro Edition (J2ME) is a consumer wireless device platform allowing developers to use Java and the J2ME wireless toolkit to create applications and programs for wireless and mobile devices.
2 – XML (Extensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.