Attempts to Spread Mobile Malware in Tweets

It takes time and dedication for cybercriminals to be able to place their mobile malware somewhere on the Internet that will result in a high number of downloads. Target locations for cybercriminals include the official apps market, third-party markets, and even fake app markets. Other locations may include websites that are designed to specifically host a particular malware or serve a variety of malware masquerading as authentic apps.  However, the cybercriminals also need to carry out some advertising in order to direct traffic to wherever the malware resides. Some use forums to add comments with malicious links, while others use search engine optimization (SEO) to list malicious sites at the top of search results. Tweets are also used to lure mobile users to the malicious sites. In fact, we have noticed that tweeting is proving a popular method used to direct users to the infamous Android.Opfake malware.

Users can potentially end up infecting their mobile devices with Android.Opfake by searching for tweets on subjects such as software, mobile devices, pornography, or even dieting topics to name a few. Android.Opfake is not hosted on the Android Market (Play Store) and these tweets lead to malicious websites developed for the Opfake application. These tweets typically contain short URLs and the message is mainly in Russian with some English terms included. Once the user visits the site, they are prompted to install the malicious application. However, aside from these particular characteristics, all tactics used differ from each other making it difficult to confirm which tweets are actually bad unless you click on the link. Below are a couple of examples that include malicious tweets.

Some are easier to spot since similar tweets are constantly being sent out and they have no followers, but others do have followers and do not tweet as often. Some have content in their profiles, but most do not. Most account names are peculiar, but some have common names. Below are a few of the recognizable bad accounts.

Several operations are continuously taking place and some are executed at the same time, which amounts to a pretty large amount of tweets. For example, a recent 8 hour operation included over 130,000 tweets from around 100 accounts before it seized tweeting.

Data courtesy of Topsy Labs

This was only one of the operations performing simultaneously. Another operation taking place at the time sent out over 1,500 tweets from over 50 accounts in the space of one hour. There were other minor operations taking place as well. However, I was unable to confirm the number involved. Among 250 million Tweets sent every day, it is difficult to gauge how many tweets leading to malicious malware are actually out there.

Whenever we see certain patterns in malicious tweeting, we report our findings to Twitter to have them shut down and the company has been very responsive in taking them down. Twitter also provides the ability for users to report an account as spam. Below is a page that the company prepared for one of the operations that was shut down.

With traditional malware, security vendors continuously update detections for malware which is then updated again by the malware developers. Malicious tweeting is now also playing this cat-and-mouse game.  Cybercriminals mix their game around, thereby making it difficult to recognize all bad tweets and most of all: they are persistent.  Symantec will continue to work with Twitter to combat these operations and the combination of our defences will hopefully continue to protect our customers. Twitter’s Help Center also provides several tips on how to keep your account secure.

Smartphones have allowed users to access the Internet anytime, anywhere and perform tasks that were only possible using computers. While the convenience provides so many great advantages, cybercriminals are also taking this opportunity to accomplish their bad deeds. So be wary when using mobile devices. For tweets in particular, be selective when deciding which links in the tweets to click on. You may want to only trust tweets you are familiar with. Tweets are similar to email. You wouldn’t open an email from unknown sender and then click on the included link, would you? This usually means bad news and the same goes for tweets.