Android hackers honing skills in Russia

The malware business growing around Google Android -- now the leading smartphone operating system -- is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers.

Sophos and Symantec on Wednesday released their latest Android malware discoveries written in Russian. While the language narrows the number of potential victims, the social-engineering tactics used to get Android users to install the malware is universal. The gang tracked by Sophos is using fake antivirus scanners, while Symantec is tracking cybercriminals using mobile websites to offer bogus versions of popular games.

[See also: Companies slow to react to mobile security threat]

Sophos says the criminals are like other entrepreneurs launching startups. They're starting in Russia, but have far greater ambitions. "I don't think we can say that they're necessarily using it as a testing ground -- think of it more as a local business that as it grows may gain multinational ambitions," Graham Cluley, senior technology consultant at Sophos, said in an email interview on Wednesday.

While criminals today are writing consumer-focused apps, it's only a matter of time before the hackers go after corporate data, particularly if the number of people accessing employers' networks with personal devices continue to grow, experts say. Android is the leading smartphone OS.

In the first quarter, 56% of the smartphones sold ran Android, compared with 23% with Apple iOS, according to the latest figures from Gartner.

The cyber scam tracked by Sophos was reported this week by GFI Lab, which discovered links to the bogus antivirus software on Twitter. Sophos dug deeper and found that the .ru domains pointed to the same Internet protocol address hosted in Ukraine.

When visited, the Web pages serve an Android .apk file that offers an AV scan. If activated, the scan installs an app that uses an icon to trick the victim in to believing it is from Russian security vendor Kaspersky Lab.

Instead of virus protection, the app sends expensive text messages to premium services that charge the Android user through their wireless providers. The malicious code also has the ability to download and install code from the internet.

Symantec's discovery involves the latest version of the Android.Opfake malware the vendor has been following for a while. In the past, the malware masqueraded as an installer for the Opera Web browser or a pornographic movie, and charged the user when either was downloaded.

The latest version is disguised as popular games made available through dummy sites that link back to a central back-end site that acts as a file generator or repository. Bogus versions of Fruit Ninja, SIMS 3, TempleRun and Angry Birds are used to disguise the malware.

Cluley expects these criminal enterprises to expand, once the founders are confident they can scam people in other countries. "What makes money in Russia today, could be used in attacks against American users tomorrow," he said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGartnerGFI SoftwareGoogleIMSKasperskyKasperskySamsungSophosSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place