Mobile Crime Doesn’t Pay–in Japan

Writing Android malware can be a lucrative business for a criminal. One can create an SMS-sending Trojan horse or a botnet client and sit back to collect the money. It can also be a very brief business, leading one directly to jail. The crooks behind Android/OneClickFraud (malware that extorts users) and Android/DougaLeaker (malware that steals and forwards user data to the attacker) recently ran afoul of Japanese laws against malware and protecting personally identifiable information.

I already paid, why doesn’t this app work?
Android/OneClickFraud is a malware that pretends to be an adult entertainment app. Users fooled into downloading it expect that they’ll be able to view adult content but instead they’re presented with a request for payment. They get a pop-up every five minutes that says essentially that their payment has not yet been received.

Android/OneClickFraud displays a message saying that payment hasn't been made.

Android/OneClickFraud displays a message saying that payment hasn’t been made.

One would expect that almost nobody would fall for such a trick, especially after already paying. It turns out that more than 200 victims actually paid the thieves to the tune of ¥21 million (approximately US$265,000). Not a bad haul for a small band of criminals. Eventually the Japanese police caught up with the group, arresting six people, including the developer of the malware.

Let’s go to the movies
We’ve previously written about Android/DougaLeaker. This malware pretends to be “the Movie” or a trailer of video games and adult films.  This was a surprisingly successful social engineering tactic from the attackers. Victims hoping to view the trailers ended up getting their contacts stolen and sent to the attackers’ server.

Android/DougaLeaker pretends to offer trailers of popular games and adult entertainment.

The purpose of the malware appears to be that of collecting contact data to promote a dating site. Viral marketing and asking customers to voluntarily send emails to all of their friends promoting your site is acceptable and legal, but using a Trojan to steal their contact lists gets you jail time.

It’s interesting that the people in charge of the dating company outsourced the development of the malware. Similar to trends in legitimate mobile development, criminals are also going to third parties when they don’t have the mobile development expertise in house. Although this means more work for third-party mobile developers, they should realize that they get the same punishment as the people who hired them.

A positive sign
It’s good to know that the authorities are going after the villains behind mobile malware. The work of Japanese law enforcement in finding and prosecuting the people behind these mobile threats is commendable. Although this is a good start, it’s unlikely that we’ll see all mobile malware disappear. We still see a majority of new malware coming from unregulated third-party app markets and from servers offering drive-by downloads of malware. As long as criminals can make a profit from mobile botnets and malware that can buy apps without user permission, it may be some time before we see a slowdown in such attacks.


Instagram Spam Leads to Premium Mobile Services

Spammers have long been leveraging social networking sites to pull off scams. Generally speaking, as the popularity of a service increases, so too do the illicit activities of scammers. It seems that the popular photo-sharing service Instagram is the latest social networking site to catch the attention of these scammers.

I discovered this first-hand when I received an Instagram photo comment, from an unfamiliar account, which had nothing to do with the photo:

"Hi there, Get a FREE Game in my Profile, OPEN it up, Get 85.90$ :-) xx"

I went to check out the user, who appeared to be a rather attractive woman with followers in the thousands, but surprisingly for a photo-sharing service, not a single photo.

Figure 1. Scammer’s Instagram profile

Who was this mysterious lady? Her profile bio said largely the same thing as the comment she left me, but also included a shortened URL. The link ended up pointing to a premium mobile service that offered to send me videos of cute animals for only €4.50 per month. To avail of this service, all I had to do was give them my phone number, and I’d no longer have to watch such videos for free on YouTube.

Figure 2. Premium-rate service

How successful are these various scam campaigns? It turns out they could be fairly lucrative. For instance, the shortened URL on my commenter’s profile has been clicked close to 10,000 times in little more than a month. If only a fraction of these users sign up for the premium rate service, the scammers could consider their efforts successful.

It’s important to note that Instagram isn’t alone when it comes to scams like these, and has methods to deal with them. In this month’s Symantec Intelligence Report, we discuss this scam in further detail, along with a couple others you may encounter on Instagram, and provide details on what to do if you encounter such scams yourself.