 We're going to get going a couple of minutes early because I've got an important public service announcement. Last year we received a note from an attendee, sorry, a human. This was my first DEF CON and I really enjoyed the conference. But I found all this swearing. Very upsetting. I think this lowers the quality of the conference and truly offends many people. Andy. Well, Andy. I want you to know that we take this very seriously at DEF CON. And the following phrases are now banned. Fuck, fuck you. Fuck off. What the fuck is your problem? No, I do not know who the fuck you are. What the fuck? And fuck you, you fucking fucks. Thank you, Andy, for bringing this to our attention. Oh, one last thing. We are the speaker goons. We're the guys that get these drunk people up here to speak to you. We have our motto is AMF yo-yo. Because when the speakers give us a problem, we say, adios, motherfucker, you're on your own. We are of course looking for a replacement phrase now because we can't use that one anymore. So if you have any ideas, bring them over to the speaker room. We have another tradition here at DEF CON. Both Tim and Ryan are new speakers. They've never spoken at DEF CON before. So if I could get some help up here. Grab a cup, gentlemen. Grab a cup. People keep coming out for this tradition. He doesn't have one. You don't have one. All right. Cheers, gentlemen. Cheers. Have a good talk. So for those of you that don't know me, my name is Ryan Smith and this is Tim Shrazeri. We are both security engineers at Lookout. At Lookout, Lookout provides mobile security for both iPhone and Android. We have about 45 million users around the world on which we get to see security events and help protect them. So with this, we see a lot of trends. We also have another acquisition system where we're able to acquire essentially all the Android applications that are in propagation and distribution around the world. So with this, we see a couple of trends. When you have millions of applications, it's very difficult to track each individual set of applications. And one of the trends that we've seen is Russian SMS fraud. SMS fraud is something that's not new. We've been tracking it for about three years. But over the last three years, we've seen two trends. One is a rise in sophistication of the code, more obfuscation, more attempts to evade detection, and also a large, very steep increase in volume. So those trends have led us to this talk called Dragon Lady. The title of Dragon Lady comes from the code name for the U2 aerial reconnaissance vehicle that was used to observe Soviet activities during the Cold War through adverse conditions, through weather. And their motto was, in God we trust, all others we monitor. Yes. So who are we? So my name is Ryan Smith. I'm a senior security researcher at Lookout. I've been a member of the honey net project for the past 10 years where I've learned a lot of skills and I stand on the shoulder of many giants within the network organization. And I previously worked on X86 reverse engineering, so automated show code unpacking and malware sandboxing. Previously I spoke at AppSec and I triply Hicks. And as you guys all know, this is my first time at DEF CON. So Tim Shazir, I'm going to hand the talk off for him for now. But another note, this is Tim's birthday today. So if you see this guy around, feel free to give him as many shots as you like. Thanks for throwing me under the bus, Ryan. So I'm Tim Shazir. You can just call me Diff. I'm the different team at work for many different reasons. So just call me Diff, whatever, when we're going to drink at the bar. I'll buy you guys a shot if you buy me a shot. Everyone, that goes out to everyone. So I'm the lead research and response engineer at Lookout. Basically we get to take apart malware all the time. It's basically a dream job. If you guys are interested, come talk to me afterwards. We'll hook you up with the dream job. I'm kind of known for the Android market and bashing my head against the wall and trying to figure that out for a very long time. I'm also probably the jerk who's responded to you on mailing lists if you ever ask questions about this. I'm a big junkie for reversing mobile malware. If you guys haven't looked into it, I suggest this to everyone I meet. It's really interesting because not only like when people are engineering applications for mobile, they have to worry about battery, is the connectivity dropping. It's really interesting from a mobile malware perspective of, you know, you're trying to create, someone out there is trying to create a botnet and also trying like work through those ebb and flows of is the network down? Where is this person that I've infected? And it ends up being really interesting twist to the problem of malware. And I've spoken at previous places mainly about anti-analysis, decompilation and emulation. So why are you here and why do you care about what we're talking about? The deep dive, we really wanted to go and do this case study about Russian malware because you see lots of headlines out there and they're really misleading. Or they're interesting because there's numbers and percentages, but percentages lie. You know, there's an increase of things. Like just giving a percentage of saying like it increased a thousand percent. What does that even mean? Does that mean you went from like zero samples to having ten samples or something like that? So we wanted to quantify and actually dig down and say like what is the difference? We're not just basing this off of total numbers of files that we see. Another thing is when you look at samples in the wild, AB companies usually distinguish samples by there's a hash. So when a unique file comes across the table, they say we have a new sample. But when you look into the code of those, sometimes there's absolutely no difference in the actual file. So you know, if you're just going to go out there and grab ten thousand samples, but they do exactly the same thing, there's really no differences except for maybe a few modified flags. It kind of makes you, lets you boost up your number if you want to. But it doesn't really help you solve the problem at hand or actually understand the problem. And then another reason was we see a lot of things coming out of Russia and everyone just says it's Russian toll fraud and it's called fake installer. And they kind of just throw everything into it and it's like well it sends SMS, therefore it's the same thing. It's not true once you start digging into the actual technicality of it. So as I said, a new hash is not always a new sample. And this was an example I just pulled up from what we call alpha SMS. And I had three APK files, which is essentially a zip file. And you get the SHA-1 sum of those. The SHA-1 sum ends up being something different. So a lot of people at this point might say I have three different samples and these are three different infections and now I have three things instead of one. But once you start pulling these apart, you end up seeing the classes which is essentially where all that code lays for an Android application. They're all exactly the same. And Ryan will go into depth on this but basically if I pull this open in a hex editor and I'm looking at a zip template, as you can see the actual times of when these were packaged are different. And that's the only difference in here. There's also a configuration file for when the affiliates were going through. So different affiliates have different affiliate configurations, but the code is actually identical. So these samples are exactly identical. They just belong to different affiliates. So that's interesting in its own case, but you need to understand this difference instead of just saying I have three different pieces of malware here. The basic families that we went through where we ended up breaking up the Russian malware into alpha SMS. Bad news, which is actually a recent one we just blogged about. This one was specifically interesting because it was basically around the, it was an ad SDK that these malware authors were attempting to get developers to use inside their applications. Then we also have connect SMS, deposit mobi, fake browse, SMS actor. We also have at the bottom, this is not a toll fraud, but it is a Russian malware, not compatible, which I'll touch upon a little bit later. As you can see, they all send SMS except for the bottom. But they do have other features sometimes in there, like downloading applications, trying to install those applications, or suggesting that a user install that application. A lot of them exfiltrate personally identifiable information. So that's stealing your contacts or attempting to look at your web browser history. And then it was also interesting to notice that some of these people were using obfuscation. It was all off, not off the shelf obfuscation. So it was all this custom made stuff that we're seeing and you can actually see that between the different groups, they started sharing obfuscation techniques. And we thought this was important because, as you see, lots of people just say, all those different families that have different feature sets, and they also have different ways of infecting people and different feature sets. Basically, a lot of people just say, well, it's Russian SMS. Who cares? Like, let's just group it all into one. And you kind of miss the big picture of who's doing this and what they're actually attempting to go for. So as we were going through, just specifically I was looking at Connect SMS. And I went through our archives of samples and I pulled randomly, I pulled a sample from A, F, P and S. And so these are all different variants of the same family. And it ended up looking pretty interesting. You can see the package by date, when these were actually created by the malware author. And then the first instance actually just had no obfuscation in there. It was really simple. Basically, you open up this application and it just sends an SMS and that's all. There's a debug information in there which ended up being kind of interesting because this means they didn't run ProGuard, they didn't run DexGuard and they just had all this extra metadata sitting there in their application. Later on in F, we actually saw this is, it was packaged a few months afterwards. They started adding more SMS endpoints. They actually extracted that into a configuration file. So it wasn't just sending hard-coded SMS. And it actually had all the SMS endpoints and the URLs started becoming encrypted in that external file. They also added contact exfiltration which was interesting because they weren't actually spamming your contacts but they're sending that off to a third-party server. So it was just an interesting way to see this sample evolve. Later down the road, we still see the SMS endpoints and the URLs encrypted which was actually being used, the same cryptography was being used. They added more obfuscation at this time. So if you just looked at the two samples next to each other, without digging down deep, you might say, this is brand new code. But, you know, you de-office that. Wait, they're using the same cryptography. Okay, they're even using the same keys. That ends up being an interesting correlation to draw. In the actual P sample, they removed the contact exfiltration. So it was interesting to see that these guys are attempting to evolve. Maybe they decided we're going to steal everyone's contacts, maybe we're going to spam it. Maybe they tried that technique and it didn't actually work out so they ended up removing it. Maybe they saw like a correlation of people are downloading less things because they added more permissions. And then in the last sample that we saw, and this one is actually pretty recent, they've actually moved the SMS and URL endpoints. They're still encrypted, but they're not actually kept inside the package. So what they're doing is they're actually contacting URL and dynamically retrieving that information. So now you no longer have actual static configurations in the application. So another interesting point when we were going through that obfuscation, and here's an example, this is actually from alpha SMS. These people were building custom obfuscation tools. And essentially if you know what Java code looks like, this is Smiley which is a reverse engineered basically taking the Dalvik bytecode and putting it into human readable format. This is basically a Java reflection call and they're decrypting the string which just looks like garbage essentially. And then they're using that decrypted string to reflectively instantiate some function methods. So I believe this was actually the start of a send message function. And it ends up being really interesting because when they're running these tools against all their samples, almost weekly they were changing their obfuscation methods. The patterns were essentially the same, but you couldn't actually look for the same encrypted sequences or the same exact pattern. It was very similar, but once you start de-obfuscating all these, the samples end up aligning again and you see that code similarity coming back out. A lot of people have looked at this and said, oh, okay, it's polymorphism, they're just trying to change it all the time. It ends up not being as scary once you understand what's actually going on. But it is interesting to see that different organizations tend to start sharing this obfuscation technique and you actually see them distributing malware that's using the same techniques but then different seeds into that actual obfuscation. One of the really interesting trends, we sat down with our data team and we were looking at detection data. And this is just a quick cross-section of one specific family. This one, I believe, was Connect SMS. And this is a little old for the data, but it does illustrate the point that each different color is a specific variant that was getting pushed out. So essentially what we saw is that there was different package names getting pushed out every single week. And once you read through the noise, what was actually happening is these guys were essentially operating as like a startup with like an agile type of methodology. So as you can see, almost, this ends up mapping out to be seven days. So for seven days, they're going to be pushing the same exact piece of malware to thousands of devices and they keep just trying to jam it down the throat using spam techniques or getting infected hosts to serve this up like infected websites. And what happens is almost right on midnight in Russian standard time, which that's not actual standard time, but Russian time. So basically at midnight, they switch over and they just stop pushing that old piece of malware and they start pushing a new one. So they're incrementally pushing updates. So this is basically, you know, Russian malware startup 101, which ends up being really interesting. So while we're going through this, we actually came across not compatible. This isn't actually SMS fraud, but it is another interesting way to see how this mobile malware in Russia specifically is being compartmentalized and actually commoditized. This was an interesting one, essentially, because if you look at the diagram at the bottom, they're infecting devices and essentially using, you know, people inside the U.S., people in different countries as proxies to hide their traffic. And you might think like, well, who cares? Like, what are they actually using this for? It looked like what they were doing was they seem to be buying up swaths of compromised accounts or compromised websites, luring victims in through there, actually getting the devices infected. And now once you have someone in the U.S., maybe they're starting to sell these services and actually let other people use that proxy connection. So what this looks like it's going to be doing, we've actually observed traffic of them purchasing tickets online. So this most likely is to evade actual fraud detection systems so that, you know, when you see someone from Romania buying Justin Bieber tickets for L.A., that probably triggers a flag and you're like, well, why is that wrong? I mean, everyone loves Justin Bieber, but Romania, I don't know. It's a pretty long flight. So they're actually going to go through and they're going to take a device that's infected in L.A. and then they're going to just proxy their traffic through there. They buy that ticket most likely with a stolen credit card. They then have a mule pick it up, maybe they sell that. They do something with that ticket, but basically they're allowed to get around that fraud detection system because they look like they're actually an endpoint. That is a viable endpoint for purchasing that type of work. And I'm going to hand it back over to Ryan, which please buy him some drinks too. Thanks, Tim. So I'll step back for a second. So just to summarize, when we had this large amount, so these Russian SMS fraud organizations we noticed were accounting for 30% of our overall detections worldwide. So that's a huge number. And it's a huge number of samples of malware to look at. So when we look at classifying them and doing the deep analysis, like Tim said, it's important to not just call them all, oh, this sends an SMS, so I'll call it SMS send. But really categorize it by individuals because they evolve differently. Different actors act differently. And once we started dividing them differently, we noticed certain particular actors evolving different than the others. And they appeared to be distributing at higher and higher rates. And so this led us to find these SMS fraud, basically cottage industries, where there's an entire industry built around SMS fraud. And the entire distribution channel has been commoditized where everybody's getting paid to do their little piece of the pie and they specialize in that specific thing, maybe distributing or creating fake websites with realistic-looking skins or themes, or some people specializing in social media distribution through Twitter or Facebook or things like that. But each person specializing in one thing or another. And that has led to these top 10 organizations that we've identified accounting for over 30% of the overall detections. And that's quite significant. So this is DEF CON after all, so this is an investigation of Russian SMS fraud, but it could also be called. If you happen to find yourself in the Moscow international transit area, saving up for a permanent vacation in a South American country, which we all know there's other outs, here's how you might find some extra cash. But please don't. I'm not advocating that. So you might go to a chat room like this. There's plenty of forums rather in Russia that are specialized in what they call Black Hat SEO or Web monetization. Some more gray than others. There's lots of ways to monetize in Russia as I'm sure you guys are well aware. And so this one you might be searching for Android WAP. WAP is the wireless application protocol. And that's basically what Russians call the data channel over a cellular network. So anything that has to deal with mobile data, they call WAP. So these systems are typically called WAP click or WAP this, WAP that. So you find one and it says that it has unique landing pages and it's the best of the best. So you click on that and it tells you a few things. It tells you they pay out every Thursday. It says that they will help you. They have the best successful landing pages. They'll help you distribute. And essentially what this is, this is an advertisement for an affiliate system where you can sign up and if you have mobile traffic, you can sign up and they will help you distribute these Android malware that they'll custom package for you and deliver to your victims transparent to you. So you just set up websites, you drive traffic, you get money. And to see how easy that is, I don't know if this video will play. But yeah, so they make it seem like child's play. Like you sitting out on the beach, riding on top of mobile phones, coins dropping out of the sky. You have to do a little work but we'll take care of the rest. And that's essentially what these organizations are. They take care of the technical parts, they take care of the campaign running and things like that. And you just have to deal with building out websites and making money. So we have a life cycle. I'll go around it piece by piece. So individually I'll talk about the HQ organizations is what we're calling them. But there's basically these affiliate marketing headquarters. These are the guys that say we'll take care of building Android malware for you. We'll take care of helping you run a successful campaign. We'll tell you which campaigns are more successful. So some of the themes that they look like and I'll show you this later, they look like opera, they look like Skype, they look like ICQ or Flash. So they'll tell you which ones work in which countries and in which markets. And they'll take care of all that for you. They also take care of one of the things that that post said in the forum is that they also have good relationships with the billing companies, with these SMS fraud billing companies. So for those of you that don't know, I'm not sure if there's people in the room that don't know, but SMS fraud is essentially you download an Android application and as soon as it fires up, as soon as you you launch the application it sends off three text messages. It can send off any number of text messages but in most cases it's three individual text messages usually distributed among different numbers so that if one doesn't succeed the others might. And then they get a response back and say I've sent the messages and typically it'll either close down or maybe they give you a coupon or a link or something but not not what you were anticipating on downloading. So these organizations they have the business relationships with the SMS registrars and that's what they provide. So they handle the business in the back end and the technical side of building out the Android applications and I'll walk through what some of that looks like in just a second. So what these organizations look like if you went to their sites, some of them look like fairly legitimate businesses. Now this one looks like it's maybe from the 1980s so you'd be a little bit skeptical but some of them are a little bit flashier they're more HTML5 you know something that you'd be more comfortable with. Some of them have like a nice milkman look to them but some of them don't. Not all of them do. So some guys don't try to hide what they're doing but because of that so these other organizations that I showed you that appear to look squeaky clean they have open registration so anybody can sign up with a with a web money account and an ICQ number and email address. Now these guys are a little bit more skeptical they want to talk to you like on ICQ they want to know how much traffic you have because they do so what Diff was talking about earlier not all SMS malware is made equal these guys actually do a lot of PII theft and they'll run botnet commands through your through the infection so they do a lot more than what the other guys do and their look should show that. So what they also do is they try to promote affiliate distribution so they promote whoever is the top affiliates they try to encourage you to distribute more and they have all of them have top twenty so they'll have like a listing of who their top affiliates this these have badges of honor if you're top affiliates and they show you rankings like how many places you've moved up and down and here's another one that looks quite similar here you get the big chair if you you want it's a little classier and this is one of the top those those two are the top distributors as far as the HQ organizations as a whole and some of the other things that they do we saw that they they run quarterly competitions also on top of the regular rates and again if you're a top affiliate most times you get additional payout so the percentage will increase as you bump up to the top once you become a top affiliate because they don't want to lose you and so some of the other things that they do is run quarterly competition so they have a summer competition that we just saw an announcement for that was they were advertising three hundred thousand U.S. dollars in prizes cash in prizes so it's significant amounts of money and individual affiliates we've seen have made up to twelve dollars so twelve thousand dollars per month sustained over multiple months so this is a fairly significant industry for for both the affiliates and these HQ organizations and so I mentioned before affiliates can leave if they want to they're not tied to one of these distributor HQ organizations so they also provide news feeds they also provide customer service and some of the top affiliates actually go out and and force rank these these websites in like customer service payout timeliness and things like that so so they they operate like Diff said as a startup and they're pushing out new code new features every two weeks because they want to keep their affiliates happy and engaged so as an affiliate you would come along and you could use these tools that they've built and with almost no technical knowledge no no knowledge of how to build an android application you could go through a step-by-step process of building one of them for you and I'll go through that step-by-step process with you right now you name your campaign so you can set up campaign A and campaign B and you can test one on one set of websites and one on another set of websites and you can see which one does better because these guys take it seriously like a business and they want to see which which of their investments are doing the best so second you choose your targets so this site provides Android iOS and Symbian support so Symbian and iOS are very basic whereas Android is is very clearly the key target so then you pick a theme so here these these guys have maybe 50 different themes that you can choose from you have your typical porn and porn videos and then you have MP3s free MP3s those always do well but lately there's been a rise in things like Adobe Flash you know the pop-ups that say update your flash or download the newest version of Skype or download Opera so you can choose the theme and here this site even gives you a pop-up that'll tell you what the effectiveness of that theme is so they'll tell you what the payout has been what the success the conversion ratio has been in what countries is it most successful how is it best distributed and they give you all sorts of tips so that you can pick out the best theme for your market once you have that they essentially give you copy and paste code you take some JavaScript you put it into your landing page you build out some websites and the JavaScript will automatically redirect your users to their download page because these are custom built Android applications they don't just build them and give the code out give the APKs out they build everything dynamically so they redirect all the traffic back to them to these headquarters organizations and when the users or the victims come along they download and they custom compile things and like diff said that's what leads to a lot of this individual hashes so you see different hashes but that's because every victim that comes along is getting a unique version even though the entire the code is the same the time stamps are going to be different and maybe the theme is going to be different because everything is extremely customizable in these applications these guys don't waste any time hard coding the information in there so all the SMS registration information all the themes everything is is custom configurable and templated so once you have these sites once you have the Android campaign built out you need to distribute it and so you need to build convincing sites you need to register convincing domain names and you need to lure in some traffic and this is where the affiliates really go to work these these are the sort of the foot soldiers of these HQ organizations so they put them out put them to work going out and registering these little accounts that way if they use any bad tactics that happen to work like spamming they can say well we told them not to spam and you can just shut down those domains but the big domain and all the other affiliates are safe so the individual affiliates will build out pages some of the pages we've seen look like this so this one's SEO optimized to look like a search query for opera so you might search in in Google and then be redirected to a page like this to download opera and then when you click anywhere on here you would be redirected to what looks like an opera download page and once you downloaded that that would install on your phone you'd be charged money one of the other popular scams is Google Play obviously this doesn't look exactly like Google Play it's called Android Play but it's fairly convincing and generates a lot of revenue for these guys also and then if you want to download the Google Play market you can do that and again this looks convincing the domain is even convincing and that's how these guys generate the traffic to then push people to download these applications and then they're getting anywhere between three and eighteen dollars per download and install so once you build out your websites as an affiliate you need to drive traffic to those sites so some of the ways that we've seen is through social media Twitter happens to be a common theme that's used by these guys another common theme that we've seen is in the Russian network specifically they've started building rogue ad networks so diff mention bad news this was an ad network that was built with the expressed intent of pushing malicious links to these SMS fraud applications and so when a user would buy some sort of game application they would see a pop-up ad and say you know urgent you need to update your Skype it's out of date and when they would click on it they would download one of these they would be redirected to one of these pages and download an application that would charge them anywhere between three and eighteen dollars and then not give them Skype so what is some of these Twitter accounts look like we found over fifty thousand Twitter accounts that were distributing spam type messages linking back to these Russian advertising networks some of them were more obvious than others this guy was I think he was tweeting out links to only the same domain and then just changing the page so that was a bit obvious also he's he was sending out tweets three in one minute so he was very bursty and he was very greedy and you can see he sent out thirty six hundred tweets in a very short amount of time and it may be like six months but you can notice he doesn't have very many followers he's not following that many people so that's a lot of tweets for a guy with no friends so some like I said are not as obvious the only thing obvious here is that this guy has the default profile picture so a lot of the Twitter accounts because they're being bought up in blocks of like ten thousand Twitter accounts they won't bother to to customize the def sorry to customize the profile picture so they'll leave the default profile picture up there and that's usually a fairly good indicator that they may be up to no good but not necessarily the only indicator so this guy you can see is more distributed he's even retweeting he's talking about lawyers online that rule legitimate traffic so he's interspersing normal conversations with his malware and so he's trying to evade a little bit more cleverly but and he's only sending 130 tweets with only one follower so he was caught because he was related to somebody else who is not so quiet so next again once once you've built out this traffic you've you've sent people through Twitter back to these landing pages the from the victim's perspective you know they would go click one of the advertisements they would click on one of the Twitter links then they would go to the web page the landing page they would download the application and it would look like this so you see Google play in the bottom left that doesn't really stand out as as suspicious and that's basically the only thing that's real about the application so you open it up and at the top so I'll do some quasi translation for you at the top it's saying that this is important update and then it says that it's the new version of Android market and then down at the second it says that it's installing and then here it says that it's installed and please click run and then the bottom button says run if you notice there is some fine print on the bottom I don't know how many people actually read it but in this case it's kind of important because it tells you how much they're gonna charge you but again once when you downloaded it there was nothing telling you that they were going to charge you so if you notice from these landing pages in order to comply with with what these affiliate HQ organizations say they say their policy is you can't tell somebody that it's free but you also don't have to tell them that they're going to be charged for it just putting this terms of service terms of service somewhere in the application is good enough and so in this case there was a link at the bottom maybe that's caveat emptor you should have known but in other cases it's not as obvious so in this I don't know if you can tell but there's no links and all it says is if you're ready click here to go to the next screen and if you look in the code you would see that there's a lot of breaks there's a lot of new lines and they've essentially pushed the terms of service so far down it's down there at the bottom that you would have to scroll down for about two minutes before you ever get to the terms of service but technically it's there so again instantly once you've downloaded these applications the only reason that that install bar is up there which by the way is just a JavaScript loop it's not actually tied to any progress the only progress that it may be tied to is ensuring that they have enough time to send out the three text messages before the application closes so the money goes directly out to the carriers in some cases you have some time to negotiate with the carriers and say hey that's not that wasn't a charge that I was expecting and depending on the carrier depending on which country you're in these windows of time that you have to dispute very so in the in the US it's 60 days up to 60 days but in other countries it's it's very slim and maybe potentially none some in some cases it may go directly into their accounts and so once the money goes into the accounts of the SMS registration the HQ organizations will take that money out and distribute it to the individual affiliates that were responsible for generating those downloads and they have ways of tracking individual downloads that they're rewarding the right people and so again here here's evidence of how much one person can make in a month and in this one case this is just a one month could be a one-off but he made 600,000 rubles which is roughly equivalent to 20,000 US dollars in one month so you could save up for a pretty good vacation so some conclusions so we found 10 Russian SMS fraud sites that accounted for over 30% of the worldwide malware detections as diff pointed out and I think I've kind of pointed out also the number of these detections can be often inflated so in some cases we see over a hundred thousand unique samples but when we classify them the way that we do we can condense them down into only 100 variants of the same malware so reduce it you know significantly and track exactly what they're doing and by classifying it this way we've been able to follow these individual malware that's being distributed up through the distribution channels through the affiliates and some people may have stopped there so sometimes you might say hey we know where these download links are coming from we can just shut down those domains for these landing pages but then you'd be spending your time in the whack-a-mole game because you'd be knocking down one affiliate and another one would pop up and then you knock down another affiliate and another one would pop up but by seeing all the way back to the headquarter organizations you can see the entire picture and step out of the whack-a-mole game a bit and see where the key linchpin pieces are and so SMS fraud is a very diverse threat requires careful categorization just because it sends an SMS does not make it the same as Dip pointed out some applications will try to steal more data and try to do more harm than just SMS fraud and we've seen commoditization so here we're seeing commoditization similar to how we've seen PC crimeware happening in Russia and this is the first big instance of commoditization in the actual industry around mobile malware and so that's a significant development that this isn't just one guy developing software but it's one guy developing software selling it to a larger organization who has connections to SMS registrars and have maybe thousands of affiliates distributing the malware for them and then those affiliates have people building websites for them and generating social media traffic for them and so there's a fairly large and broad industry involved in the distribution of these these very few organizations malware and so I'll let Dip come up and thank a few people but I'd like to thank the entire R&R and security team at Lookout there's a lot of people in the background that did a lot of work here Dip and I are just the people that are lucky enough to be standing up in front of you but certainly there's a lot of others doing a lot of hard work on our team at Lookout I'd like to also thank the Honey Nut project there's a lot of people in that organization that I've stood on the shoulders of and certainly learned a lot especially in this type of investigation and then Dip. A lot of the samples that we actually went through and we submit a lot of samples to Mila which thank you to Mila for running the Contagio Mini Malware dump if you ever want to have some fun things to look at for reverse engineering she also has lots of crime work hits up there but there's lots of actual mobile malware if there's any other specific samples that aren't up there feel free to reach out to us we're always in the mood for sharing and trying to you know make new friends and share techniques and whatnot also just for Android reversing in general you should follow a lot of these guys these are all their Twitter handles Jayduck does some really interesting stuff Poff and Thomas Cannon from via forensics really really smart guys Anthony Desnos he's the creator of andro guard really interesting guy OSX Reverser that's Fractal G he's a guy based out of Portugal you should really follow him he does some really interesting stuff based around the economics of malware and root kits he's the one who's always making fun of hack team for crisis and whatnot so he he's showing people how to make better root kits and he's done some really interesting stuff and like I said it's really interesting perspective looking at the economics of malware and what the return on investment is for all that other than that Justin Case and Gunther and Crypto girl from Fortinet really great people to follow and you'll be able to stay up to date on the most really interesting Android malware and just the rooting scene in general and then if you'd like to see more information we actually posted on our blog so blog dot lookout dot com there's a it's about like a 10 page almost like a white paper and has a lot more technical details that we kind of tried to skim over to prevent you guys from getting pre lunch post lunch coma thank you