Mobile Crime Doesn’t Pay–in Japan

Writing Android malware can be a lucrative business for a criminal. One can create an SMS-sending Trojan horse or a botnet client and sit back to collect the money. It can also be a very brief business, leading one directly to jail. The crooks behind Android/OneClickFraud (malware that extorts users) and Android/DougaLeaker (malware that steals and forwards user data to the attacker) recently ran afoul of Japanese laws against malware and protecting personally identifiable information.

I already paid, why doesn’t this app work?
Android/OneClickFraud is a malware that pretends to be an adult entertainment app. Users fooled into downloading it expect that they’ll be able to view adult content but instead they’re presented with a request for payment. They get a pop-up every five minutes that says essentially that their payment has not yet been received.

Android/OneClickFraud displays a message saying that payment hasn't been made.

Android/OneClickFraud displays a message saying that payment hasn’t been made.

One would expect that almost nobody would fall for such a trick, especially after already paying. It turns out that more than 200 victims actually paid the thieves to the tune of ¥21 million (approximately US$265,000). Not a bad haul for a small band of criminals. Eventually the Japanese police caught up with the group, arresting six people, including the developer of the malware.

Let’s go to the movies
We’ve previously written about Android/DougaLeaker. This malware pretends to be “the Movie” or a trailer of video games and adult films.  This was a surprisingly successful social engineering tactic from the attackers. Victims hoping to view the trailers ended up getting their contacts stolen and sent to the attackers’ server.

Android/DougaLeaker pretends to offer trailers of popular games and adult entertainment.

The purpose of the malware appears to be that of collecting contact data to promote a dating site. Viral marketing and asking customers to voluntarily send emails to all of their friends promoting your site is acceptable and legal, but using a Trojan to steal their contact lists gets you jail time.

It’s interesting that the people in charge of the dating company outsourced the development of the malware. Similar to trends in legitimate mobile development, criminals are also going to third parties when they don’t have the mobile development expertise in house. Although this means more work for third-party mobile developers, they should realize that they get the same punishment as the people who hired them.

A positive sign
It’s good to know that the authorities are going after the villains behind mobile malware. The work of Japanese law enforcement in finding and prosecuting the people behind these mobile threats is commendable. Although this is a good start, it’s unlikely that we’ll see all mobile malware disappear. We still see a majority of new malware coming from unregulated third-party app markets and from servers offering drive-by downloads of malware. As long as criminals can make a profit from mobile botnets and malware that can buy apps without user permission, it may be some time before we see a slowdown in such attacks.