Malware taps mobile ad network to siphon money

Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money from their victims.

The new method represents another step in the evolution of mobile malware, which is booming with more smartphones shipping than PCs. Mobile ad networks open up the perfect backdoor for downloading code.

"It's a very, very clean infection vector," said Wade Williamson, a senior security analyst at Palo Alto Networks who discovered the new trickery.

In legitimate partnerships between ad distributors and developers, the latter embeds the former's software development kit (SDK) into the app, so it can download and track ads in order to split revenue.

Unfortunately, how well developers vet the ad networks they side with varies from one app maker to another. If the developer does not care or simply goes with the highest bidder, then the chances of siding with a malicious ad network is high.

Wiliamson found one such network's SDK embedded in legitimate apps provided through online Android stores across Asian countries, such as Malaysia, Taiwan and China. Once installed, the SDK pulls down an Android application package file (APK) and runs it in memory where the user cannot easily discover it.

The APK typically waits until another app is being installed before triggering a popup window that seeks permission to access Android's SMS service.

"It doesn't have to go through the whole process of doing a full install," Williamson said. "It just sits there and waits on the smartphone to install something else and then piggybacks in."

[Also see:Ã'Â Mobile security incident costs, regional threat differences revealed]

Once installed, the APK takes control of the phone's messaging service to send text to premium rate numbers and to download instructions from a command and control server. The majority of Android malware today, 77 percent, wring money from victims through paid messaging services, said Juniper Networks' latest mobile threat report.

Williamson has seen more than a half dozen samples of the latest malware, which he believes is coming from one criminal group, while acknowledging multiple groups is possible.

Android users in Asia and Russia are more susceptible to Android malware, because many apps are downloaded from independent online stores. In the U.S., most Android users take apps from the Google Play store, which scans for malware and malicious ad networks.

Because of the effectiveness of the latest malware, Williamson expects criminals in the future to use the same scheme to download more insidious malware capable of stealing credentials to online banking and retail sites where credit card numbers are stored.

The same pathway could also be used to steal credentials for entering corporate networks.

"As soon as you have a vector like this, the difference between creating malware that sends spoof SMS messages versus looks for the network and tries to break in is just malware functionality," Williamson said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsmobile malwaresecurityad networkmobile securitysoftwareData Protection | Wirelessdata protectionpalo alto networks

More about GoogleJuniperJuniperPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts