 Hello, I'm Jimmy Shaw. I work with McAfee and mobile security solutions or whatever you want to call it My thing is mobile devices tiny devices anything small in a car if it has a microprocessor in it We deal with it or at least the threats to it Who we are? Whoa, did I skip a step? Okay, I'm we're mobile antivirus researchers. We deal with threats to device like malware viruses Trojans hold on yards work with a team of people in globally located parts of Asia parts of in America Around we we are never sleeping or something like that So we specialize in pretty much every platform if you have something new coming out We're probably looking at it also and we work with a bunch of mobile carriers and and had my manufacturers and Pretty much anything in a mobile space where we're tied up with that Okay, let's go quickly through this first few slides We currently are seeing about 1200 different variants of mobile malware The pie charts are good. We are showing you this the layout of overall what we have seen The big slice is Symbian Symbian, which was was now nearly gone with Many backers pulling out and but at a certain time it was pretty much the largest affected platform period followed closely by mobile Java and then the new and up-comer of Android which is similar but not quite mobile Java and Actually, if you look at our quarterly stats, we're actually seeing Android creeping up on mobile Java and the Symbian falling them down And I think the most current new malware we're seeing is all Android. So we'll be seeing more of those at the end Let's take a quick look at historical for profit malware For profit malware would be first one pretty much was Java red browser a which was a fake web browser And it it pretended to be a web browser. So okay you over SMS So it was a Trojan and it put a lot of effort into fooling you thinking. Yeah, okay We'll send an SMS out there or and we'll be able to browse the internet and it'll be cheaper and using a data plan Nice didn't do that. I'll just send out a bunch of messages to a bunch of a Russian as SMS premiere rate services and then it was all quickly by wesbur, which didn't even try any of the techniques used by red browser and It was just like a mugging really and those are the first ones the first few we ever saw it was about four or five years ago Well, we see it generally with mobile malware and pretty much mobile malware on any platform Is sort of a life cycle of how it goes the first stage is the R&D stage where we have people like In virus zenewriters other other hackers perhaps or We would he call it security researchers Looking into making proof of concepts and putting them together and and writing tutorials putting out not papers putting on presentations Teaching people how to deal with the platform how to figure out what API to use figure out what we're doing with it or what people are doing with it That's followed relatively shortly after you get the first big rush of people by that we use Not to cycle, so I guess whatever you're going to call out next stage You'll notice all the bugs are very similar when they look a little little different There it will they're cosmetically different in that they have different colors That tends to happen quite a bit with it with malware once people have gotten through the whole what APIs we use What can we pull off on the platform? Why don't we just reuse the code and just change the strings or something that's what usually happens after those two stages are done Though it's where what this talk is actually about How do people make money once they decided to go into malware like what do we do next we've done the creative part We've done all the the repetitive part and the the copycat stuff. How do we actually put money in our wallets? And that's really what the rest of it's going to be Let's look at modern more for-profit malware where you're actually here Here's are your trends by a geographical region You'll see the map here. We have rough regions like North America and South America and Africa Western Europe Eastern Europe Asia Australia We haven't really seen a lot of mobile network coming out of America We are we're suspecting that that might be because we have so many ways to make money legitimately I maybe Could be we have the app stores where you can sell your apps there and make it make a lot of money Okay, we can sell make a fart app and make him sell it for like what I know a buck now I mean, they've actually given the price down from whatever it was like 25 bucks down to over 10 bucks or if you bought that out What was it? I'm rich bitch for like 9,999 whatever the top limit is on the App Store Apple App Store I think they sold about two copies people thought it was a joke, but they didn't read the Yula. What was that? I'm a human centipede South Park. Yeah, read read the Yula or you get stuck apparently So we don't see a lot in in in America and they're not too much in South America We're not sure why exactly but we're not too much in Africa part of the part of this in the other parts of the world Outside of the North America is that it's not as profitable to have or to purchase a smartphone It's a really large part of your income and if you're not likely to have one You're probably gonna have a like a feature phone that just runs Java and maybe a couple MP3s or video files. It's a big simple So we pulled them out of the mix the geographical region and we end up with basically East Western Europe where we saw maybe one or two things and that's actually tied to Australia where we saw the IQ worm We call it Mac and we call that the OS X R-Roll dot A through C So the first two version of why why three variants the first two were version were by the guy Ashley Towns IQ or Ikex I forgot what his head handle is he wrote and wrote this worm for jailbroken iPhones And it did it basically replaced the background and moved to Rick Astley. It's like yeah, all right awesome so you're gonna after all this and you imagine release source code source code for those two Worms and at the same time or a little bit after he got picked up as a legitimate app developer He got a real job out of writing mobile malware or a worm But the key point of that is how that ties into Europe is that the next variant turned into someone actually try to turn that into Something that she makes the money directly from the app or from the worm, which is like instead of just doing the The worm that is replaced with her casting does a bunch of nonsense the next step turned into it was a fishing worm It was the RLC some of the people call Ike B Basically it was two pieces that one was a downloaded script and one was It was a part was basically the propagation portion of the the original recalling worm to like push it out to every jailbreak broken five phone and get it out there and Different part that what tempted we've seen all day if you've seen all the analysis It said oh, it sends SMS does this does that whatever all it really did was add a new host file to do to replace a Local European banking website with that of a server under control the attacker Somewhere in different location and you basically you go to your website you ship to them and they take your money It's kind of nice for the attacker not for anyone else That was also closed down pretty quickly because it was pretty obvious. What are they were doing banks shut down quickly? So we kind of move on from them We move on to basically what's left because we don't see outside of those jailbroken phones We don't see much on any other real phones or regular phones say an Android phone or Windows mobile Yeah, or pretty much anything like that any other option or web OS or anything else What we're really seeing is that they're basically two regions Places that to their Russian speaking areas and Chinese speaking areas pretty much and it spits into basically okay We got about about a hundred odd variants from the Russian speaking areas and about 200 plus all nearly doubled pretty much coming out of that of the Chinese speaking areas and And then the interesting part is what the difference are between them If you're looking at the Russian speaking areas You figure Russia's known for a lot of very complex malware and whatnot Especially on the PC on the mobile side They've got really simple Java Java Trojans and sesame sending Trojans like that's basically Bay bear symbol Easy as possible thing you could ever ever do okay. Hey, let's send an estimate. That's it. That's all they do That's like Wesberg just like the mugging just like the red browser in the beginning of the four-year-old or five-year-old a Technique that's all they're doing they haven't changed that in about five years They changed into the strings and names whatever still the same the other versions we're seeing or at least a variety We're seeing in the Chinese speaking areas. We've got multiple platforms or actually let me go back there to your Russian areas Android is this programmed in Java and it gets converted to a different format a different bytecode But basically on the developer side, it's almost the same thing So it would be very simple for their for a Russian mobile malware developer to go to scale Okay, let me port my code over to Android change a few libraries and you're pretty much done We compile boom all the all the same things If you're doing it with with the Russia the Chinese speaking areas They're a little more complex the environment is a little bit more complex one you got a got like a millions of users Too you've got people doing multiple platforms simbian android what not and I'll be covering most of these things in a little bit later With actual pictures that the key trend though is that it's a lot more complex in those areas And there's not more competition and the competition helps to drive more of the complexity So instead of just having okay. I don't know a simple Trojan You're having things that go after other either security software or or going after other Malware writers other people trying to make money writing Writing basic mobile Trojans or mobile complicated malware meaning botnets meaning Plus we got out there rootkits pretty much any technique you can use on another platform They're they're porting it to the to the mobile side just so they can keep in business Let's go on to actually yeah, how do they make money? How do you make any kind of money if you're trying to make money with mobile malware? I you've the common ways that you write it yourself sell to somebody else Which is kind of a thing to happen with Zitmo where? The first few versions were basically repurposed original malware sold to or stole sold stolen Whatever, I'm not sure exact numbers from the original author and turned into a way to make money for for for larger crime syndicates and Distribution basically would be you just put it out there get yourself out there get it on a site the freeware site Download site put it to be something else something like that. I mean that's that's kind of that part But where's the actual money coming from? One thing is primary numbers. This is your downloads your ringtones pretty much any way to making money doing this You know you say okay, or actually, how do I get some way to take money out of your users wallet? put in my wall and They're also subscription services So you sign up once with a premium rate message and it continue bills you over and over again. It's nice For the attacker once again, not for us. Where's the money again? Other ways to make money so say you don't want to be so so deliberate and so obvious like taking the money straight out Okay, like those old 900 numbers of one out and man premium reading the telephone numbers told fraud They call it in the telecom industry Basically you sign somebody else up for for one of our services and it's very obvious because the building is directed to device The other option is basically another thing from the PC site click fraud the ad networks blackout SEO Things like that. I mean you're driving traffic towards somewhere or trying to pretend it to Make money out of somebody. What was it deal with the? click fraud is basically you have you have ads and They have fraud detection techniques in place So if you have like the same guy clicking about a hundred thousand times, that's gonna get a tag If you get him clicking about 20 times, it's probably gonna attack. I forget the exact threshold It's pretty low. I think for unique individuals or whatnot So in this case if you were an attacker, you want to make a bunch of money You do put out something like a botnet and say, okay, I'm gonna take over a bunch of different mobile devices I've got a ton of different IPs and it's all individual users and all looks legitimately like real traffic It's so it's a slow thing, but it's a lot of people. It's I've been described to me as a And I've described it also as as basically you've got about a you got you seem like a dollar from about a million people That's a pretty good good haul. That's always is and also You can also do the other way offensively against someone else's ad now We're gonna say okay take out my competitors and just click on all their ads and wipe them out take out their entire budget and take them out and the next stage is a personal identifiable information which should be Your your your self-security number some other identifying number, but maybe you're the identifying number of your device Something else that they can use it to tell Directly who you are which is useful for various reasons I mean you could also be account numbers like like a Skype account or something or a chat account The key is you can take that kind of information is valuable to to identity thieves and other people marketers Legitimately to marketers and then and not so much to basically people who would take that and turn into a currency as identity theft And they will just resell that in bulk or individually or use individually Once again, the next one is fishing fishing This is similar to the earlier thing I mentioned the the worm that in the iPhone jibberworm that replace the website Not as popular in in Europe in North America. Well, not at all North America But in it isn't quite quite so it in in China where which I saw talk earlier if you any would see that talk yesterday with You know the fishing going on in China banks are a big target and it's really useful to go after something like that and Also, you can download additional malware. Maybe spyware and get a few more details or other accounts very useful Which is similar to the next slide really is if you have an account like a QQ account or which is a very popular Chinese Investing platform if you're not aware And it has it you're able to cash out money you can trade it trade QQ coins on on the network and cash it out at various third-party Vendors, which is really a black market because it's it wasn't Legal based the cash of the QQ coins So there will always be some third party and they will take their cuts and you will be dealing with organized crime Very useful and also there if you're in the business stealing people's legitimate accounts There are also money launders and people who help you clean that money out for you. So you'd sell to them and go through that Well, let's actually look at how they avoid detection and analysis and may make our job a little harder What happens okay? Injecting the code into clean apps. We haven't seen file infectors and mobile platforms at all Possibly because we're using Java, but really because no one's trying or no one has to try So what would you do you'd inject your code into something like a j2 me app very easy to compile add your code into it We compile very simple Symbian little harder more likely Trojans or whatnot, but it's been done put into like an IM app So it's invaded in a real IM app and said okay repackages and send it back out a little harder to do but they've done it Android it's more like things like Droid Dream and a few other major malware families that are really done manually We haven't seen any evidence. It's been automated We'd be otherwise you'd be seeing thousands of apps given that the Android market itself is very open and the other markets are also about Both third-party markets are completely open So it would be really really easy to target a certain segment of marketed and just flood all the absence door with corrupted apps Which we haven't seen we've seen relatively small numbers 40 50 30 whatever small enough that a single person could do it overnight or something could basically produce it or On there on there often they can put together What's been used to evade detection encryption Ranges from simple to advanced in a simple range We've got things like a hiding SMS within let's say an HTML file like as really if it's like a standard Since standard HTML file on your system and your data directory or your browser director You're not going to notice and if it's sh2 me we found some j2 me Trojan You're really not gonna notice unless you're you're having an analyst look at it and we'd see it and it's the okay Well, where is it? Not too hard. It's actually a little dark section right there very simple They actually put the SMS in the message and they seem no one's looking at it truthfully if you're a regular user You're not going to notice it Then they step that game up a little bit by doing another simple taking a simple substitution cypher. It's okay we replace digits with like letters or something or Different digits or whatever it takes just really simple and just putting into the code So you have like an encrypted configuration file once again, not for the average user or the victim but for analysts Then the one little step further a little more complex a little more sensible They would look at standard cypher. It's like DS. I forget exactly what the thing was Android gain me this was the one of the first ones to the action encrypted both the URLs that That it sends the data to or that post URLs to the command and control server and also traffic It's getting back from from the command and control server. So it's like it's great. It's symmetric cypher very relatively secure But once again not to protect or to hide from from analysts who would have an access to binary and have access to the actual Key, I mean it's in it's in in there already just pick out the key You have a symmetric server you have the opening you equipped doesn't doesn't stop us it's really there just to keep you for on the network from blocking and seeing that hey we're doing something with it and Do you can't see lovely right? Okay, yeah, that's right I forgot the new version joy dream light and there was a modified version joy dream is a little smaller slightly different infected a bunch of malware and it also uses use a slightly I figure was DS or a yes Roller as well the standard algorithm and it used it in to hide A couple of root exploits are used in in droid dream same identical exploits just encrypted and hidden on before to drop the disk Other ways of bypassing protection are also important like how do you how do you get further infected? We've got things like on Windows mobile. They disable the silence elation So you don't even know you're being affected real simple. It's just like a registry setting and you change it Next step is root vulnerabilities. How do we stay on this? How do we make sure that we're open up device and it can stay on? It's like having a root kid on Day on a unix box or Linux box you're broken in you say how do I keep on keep there? Very useful and the root exploit gets you on to any any any mobile device pretty much like on an Android Android device Anyway, let's just go with those So joy dream did it true dream light doesn't it and the funny thing is the attackers aren't writing their own experts I don't even wasting your time right now exploits. They're writing malware that makes them money today They don't have time to waste time looking for foldability is looking for spending time to write the exploits themselves They don't they don't care and then jailbreaking kind of let's let's talk about how to reduce security Has anyone seen that in that talk at Turcon last year Eric Monty of spider labs? He did a talk a nice proof of concept where he he reverse engineered with the jailbreak me calm exploit to Remove the warning messages from the exploit and then modified so totally silent So you visit a website you get a silent drive-by download on the on a jailbroken Sorry a regular iPhone and then you've had malware installed on your phone And what was it installed you can solve a key logger and he tried it against a very popular credit card processing application It has it has a little dongle you touch to your phone And something in that range and you slide it and he was able to read the read the Numbers you could also modify that to send it to to himself his own drill server And of course this is on an unpatched phone He had an unpatched because apple it patched appear prior But the same rules apply to pretty much any any any O day exploit that gives you root access or gives you jailbreak access Which would give you access to the file system and helps you gain control of whatever you need The concept really is if you have something gives you that kind of access very simple to do and port make it malicious Nothing new nothing surprising, but yeah, actually when I did it. Let's look at some real real malware. It's actually out there currently This is first one is a simple SMS sending coaching it pretends to be something else. What is that? Okay? Send something helps you send SMS easy like has pad templates and patterns or whatever you want Something interesting. How do you make money doing same deal sending SMS proper support proper SMS And this one actually has a couple of choices pick three different Vendors based on your geographical location. Why because should the short codes that they send the SMS to are also locked by Geographic region and you're not going to make money by saying to somewhere outside So when we test it outside of say Russia or out of Kazakhstan or outside of Ukraine We're not going to be able to test it on the network or testing thing in that manner or know that anything's happening Meaning they're very locked geographically Something a little different little food little fishing exercise here. So the V contact is a very popular social networking platform in Russia in Russian speaking areas very similar to Facebook and so it's like, okay if you can get get get those clothes If you can get those Accounts you can get use them for blackmail. You can use them to gain more people more contacts Pretty much exploited any any manner and whatnot. So what is this up to it pretends to be a mobile client for the Pretends to be a mobile client for for V contact and say so you log in you try to log in It gives you an error message been and meanwhile on the background It's emailing your your your credentials to the attacker real simple blackmail users resell the data a number of things You can do to make money All right, that was straight to me. Let's look at simian, which is actually quite complex and generally mostly in in we're seeing This in China not so much outside of these are the most modern simian phones with the data protection that that wipes out But pretty much all the worms that we had three or four years ago Currently these are much better. You need to have like science certificate sign apps and all things like that Well, actually, this is an older version. It's a key jar It's a it was part of a multi dropper and it was designed to fool the users into thinking Hey, we messed up your phone. They did mess up your phone they installed a bunch of rubbish on your phone and It it sold your phone down and he said send me some money over QQ QQ coins again Are the money for that instant messaging platform and it was like, okay, send us the money I don't think we are sign a conversation at anyone who sent him money ever got their phones fixed or got any kind of Fixed tools for it, but it was a pretty good technique. I mean tell you to send the money or else, right? Something else on cinnamon on Python actually just just to show the point that Scripting is not just limited things like like Java or not or simple origins aren't just Java They don't do it with any easy easy relaxing thing or simple thing you can pull back to that. I believe this is a might have been Russian language one It allows you to send Yeah, I'm actually was Once again, you'll see the type of variation the previous one try a little harder Try to make you think those are the Chinese baseball and the Russian ones they don't even have to it's so easy for them They're not wasting the energy kind of decide, okay, we're gonna do something like this That's a simple simple thing pretend to be a chap's client and takes your money simple and Back to the Chinese again. This is a once again the more modern simian malware super fairy in B The lot of details not a male I got about 40 slides here various things I have to remember the exact details of each I have if you look at the slides on non That CD or the DVD that came with your your your badge It lists reference to each of these malware So you can need further details that are there, but how they profit and super prayer I think was it added bookmarks to a certain smartphone phone forum. So you drive traffic towards your drive traffic towards a Given a website and you have people coming in and clicking and you have multiple infected and units or Viewsers so they're actually the real deal with having a bookmark on a phone like a simian phone or a phone is not a smartphone It's a lot Numbers or whatever for texting is that if you have a bookmark You're gonna go to the website regardless of what anything else then because it's a pain in the butt to actually type in WWW dot blah blah blah 50 long line character URL With numbers difficult so the bookmark is really a very popular way to get people to come to your side and it's not so direct and once again not so directly traceable like What do you call it money things? All right, and we didn't see the second portion there in in live. It was already disabled the forum was disabled So instead people were doing what is it called? Trying to get downloaded and additional files. So it might have been malware might have been spyware could have been adware Another one in spirit dot a this was kind of needed pretended to be Once again, it's not like the previous simple as much as this is one. It's a little more complex It's trying to pretend to be an actual helpful utility and this is also Kind of interesting how it does its phishing Earlier, I mentioned they would injecting malware malware injecting SMS measures into your inbox or phishing If you're phishing normally you you send like a text message to somebody and say oh here Here's a text message from Some number looks like a normal user number or a number I never recognized not the number for my bank These guys say okay. Well, we know the number for the bank We know how to put the message into your inbox using the APIs to insert into a meaning very complex We were in enough advanced developers to know that hey as an attacker we can put that into into your Mailbox you see them the the text box. Sorry text message with an address from your bank You've seen me before every time you log into your website or something or a message you can get a service message from your bank It'll say okay here. It looks familiar. It looks like it's from the bank. Is he a really real number and it looks very Authentic, I mean it's bypass basically all the all the protections you you'd normally have as a normal user like How do I know this is the real right it looks it's it passes the smell test basically looks like a duck walks like a duck It's probably my bank and this one tells you okay people have tried logging into your account very sneaky technique You're very glad that we're gonna lock you up. Please log in. It's it's that whole social engineering technique to get you to go and get fished Pretty useful and my good way to avoid detection Let's go on to the Android malware, which quite a few this is the Android game emi So the first one we mentioned it was kind of neat a bunch of infected the local applications and it required a lot of permissions very suspicious and When you actually analyze it we saw it has had backdoor functionality So I talked to command and control server and the attacker can do a bunch of things to you Which is kind of nice question is how do you do that to make money? You have a complicated malware you have a way to talk back and forth to the client and you awaited like load software Install software into a bunch of things So I can add additional software once I have my team working on something new and it has an attacker It's saying okay. I've got something on their devices. How do we get more stuff on there without having to go fool them and make Infect other applications and how do we do that same deal you and it also went after your contacts So okay, we have my new targets to go after we can do things like Give them the same messages and whatnot and Pretty much that I was gaining me another one is a steamy screen screen script. I'm actually not sure how that's pronounced Usually we try to name me so we can at least pronounce them, but I mean it was common and pretty much all of us use it This thing was stealing information that I defined your phone specifically. We have various theories on that some people think okay They're using to clone it I don't think there's profit in cloning my smartphones as much as just stealing the money if it takes you less time to steal the Money you attack is probably gonna go after that directly They're not gonna waste time trying to clone your phone and say okay We're gonna use your phone and let me copy it so I can make phone calls now They're gonna just take the money from you. This one's able to generate it the SMS measures to your premium rate number and Pretty much the same things Ganymi did without using the root exploits. So the root exploits are very nice When they really only allow a few different things like actually no, I'm thinking about Droid Dream. That's coming up or at least another version Here's another one of variant. This is the calendar application that was infected and modified every time you load it up It goes to January 1st And you have to move forward to get to whatever date in 2011 I believe you have to move forward to get to your current date at every time So but every time you move forward it also I think about four or five times it triggers a payload and it starts sending out The premade messages and it also deletes messages So you don't know that you're being signed up for like a subscription service to a weather channel or a horoscope or who knows Very popular console though Android T sent a who is Named after and it's an app that's named after variation of the main Company behind QQ the public instant messaging client. So it pretends actually to be Software for that like a new client or something along those lines for that and to instant messaging platform I Yeah, okay, there we go the killing application security up and it actually goes after Default security applicants are installed when you installed you're in submission client or if you have an installer rate So it's going after NFR. It's going after firewall. It's going over wherever you have on your phone already It's going after each enemy is basically which is a little bit a lot more complex than we see normally Not just a simple job or Trojan, but an Android Trojan is going after other people who are trying to clean them off the font the game you see is like with rootkits and and Basically things I know that nature Whoever gets on the device first wins So if you have security software and you're not protecting yourself, you're probably gonna hit by something like Android T sent a And once again also does the whole premium rate sending thing makes money doing that So it protects its business and it does its business Cousin dot a a up this won't try to be an MMS app It doesn't matter what they pretend to be because they're all basically trying to be something that they're not and getting up They're and saying okay install us. I'm very good people. That's the social engineering portion That's the the easiest part of it the hard part is that you've always seen three or four that are coming out of China and Or on Android and are basically looking at each other to like make money off the same basic Well, okay, we've got about a million users or odd here and there and there's a room But they're still going after the same market and saying okay We have to worry about all these other characters and also it does has as a command control software And it can get rid of other software, which is nice so for them not for anyone else Another one nice new one is a droid kung fu This was discovered by I forget what they're at the end. I will knowledge them all mentioned later, but This was the one that it was very similar to to draw a dream with the rude exploits it downloads them and and gains access and we just be able to basically stay in areas outside of the standard Android application locations if anyone seen the Google I think it drew Droid dream Militia app cleaner from Google. It was an Android market cleaner It had to use exploits on the the same boot exploits installed by the malware to clean the malware off the phone Because by default it's not possible for us security software or Google or anyone else to delete malware That's not stored in the standard Android application Directories right that's where it would be the most important places It does something similar for making money again my loading URLs in the browser sending you to try to generate traffic towards So websites and telling them hey go over here and and anytime Well, actually that's also used for loading ad clicks basically ad click is the URL you put you load it up But it's gonna be a post or whatever it's gonna be and it is to generate as an individual ad click for from millions of users But back one They're actually quite similar a lot of these There we go PJ app another variation on a family of the things that invade in install until Excuse me legitimate applications and also make make money for people Okay, yeah, so this one signs up for serve PMA services and also adds a bookmarks This one was a little bit more interesting. This is top like a you might have seen it then named plankton or a few other things If anyone's seen that at summer con I think about two years ago John over high presented a An out while I preview app, which is very nice It printed to be an app for the upcoming I think was eclipse at that time and it's like okay So you have a very popular movie coming out and you have an app to pretend to be that that's a really great way to get People download it what it is up to it downloaded binary Exploits from here at server under his control It's just a proof of concept But it was hilarious that people actually download this and we're complaining this app only has two pictures One was a preview app in the Android market and one was the one is at this place Like this is broken. You got about a thing a hundred thousand downloads or something for this Yeah, I will top top blank and plankton is very similar it downloads code But it instead of downloading binary apps. It actually downloads Android code So it has a class order to load a class files from the the and an additional apk download from the attacker server Kind of new and it also has a few more features like deleting history and deleting bookmarks Where's the profit in that you get rid of anything they've used now? Users used before like say Google or or by-do or any search engineer will not and instead you put in bookmarks for your own site You say come to mine instead Because they will it's really easy. It's there and you delete the other bookmarks even worse for them and also it has a way of this is was sorry if you've seen the UI talk by By a trust safe lead. I think it was yesterday a little early in the day They were talking about how you can present messages to users or like a legitimate application in the same way Top-line displays message and allows them to fish you and say okay do this or follow this action to something very similar and send it out there Another new album another Android malware is a base bridge which Does something similar to the previous to where it actually can go after security software and AV software? And I think one or two of them actually go after other malware. I don't have names or those at the moment How would they profit from something like this? Same deal sending SMS messages to your primary message and signing it up In various places it's easy to get and get a premium rate account where you Provide a service for a certain amount of money might have seen ads on on television I'd say okay sign up for this ringtone thing and then or whatever it is or and then on the small panel be like This repeating service it repeats like for I don't know every month you get billed like ten bucks or whatever small amount of money Here and then it's something works very similar everywhere else Then we have another one j.sms. Hyder Pretty much does the same thing sending opinion messages and Installing additional malware not too complicated And then we have some like gold if anyone seen the article that was I think was posted today saying that gold dream is is a malware that records your conversations and records audio from from an Android phones not this malware that that's another one called Android Nick a spy Don't know a slide for that because it's not really a for-profit malware It's really more of spyware or what not or malicious spyware not not the same thing now for profit The gold dream was doing the same thing intercepting going after banking by intercepting a mobile tan So it's just like the the Zeus in the mobile the one where You might have seen the Zeus crime or toolkit that does phishing on on on the PC side They have a mobile portion that it sends the SMS messages. This is very similar and it'll intercept your SMS messages that have Your authorization code this is like those RSA tokens that change every 60 seconds I heard from somebody yesterday. There was maybe 30 seconds in the email I'm sorry SMS a text message the authorization code which about six digits what small amount of numbers Lasts about 30 seconds so long enough for a network to get it to you like almost instantly And depending on how small that window is it also affects how how the attacker goes after your bank account So if it's a short amount of time, they need to be on it the same way you are on it on on the account So they'll log in immediately. I talked to another guy who said okay. He's monitoring financial Transactions we don't get to see those as much But on the financial transaction side you can see that how the malware does a versus how how an average user would do it if you Log in as a bank account user and then you do you move move money you got to go through the menus You got to click click click takes a few minutes Average time maybe five minutes if you know exactly what you're doing with the malware. They were seeing traffic patterns It looked like this is PC malware About in a login followed by about two seconds later a transfer So a big difference and very easy to detect. There's a paper coming on this in a couple of weeks the other researcher Right same deal sends premium raid messages premium raid messages and Adding new new software, which is always bad because everything we're seeing here could have been variants It's all by any of the previous ones coming before it Ren and it actually shows that the pattern that people are actually trying to come out for your money now They're doing it on mobile devices and they're looking for ways to get to you easily and and once again all they need to do if they Have something in with at least complex is to be the first one on the phone before any protection before anybody else helping out We tend to recommend Look at the reviews if you can see if there's something's very popular Try to avoid as much in your untested and applicants that have maybe five or ten downloads if you can Some kind of reputational service. Maybe somebody your friend knows something Rather that before we have something to force somebody provides you that or Try any of the other various people providing security software on the markets now With another another application hippo SMS. This was another one inserted code into an applicant Bit repetitive some of these things that you know, I mean they're on platforms But it really key the interesting part is just how they make money and how they go after each other Who we're trying to make my other attackers are also going to make money. That's a neat portion What same deal deletes me so you have no idea your sign-up to a subscription service Let's see what I got left. Okay. This is the actual something more interesting if Another this is a proof of concept not a malware. This is sound korma. It was called Initially sound minor. You might have seen the videos online This is basically a university project testing. How do we create an athlete's diversity permissions and is able to do to do something like taking your your your Sorry, you're your interactive voice response So you're you're basically your your those menus you press one press two whatever like the ones you call your credit card company Okay, at some point at one of those calls you're gonna be typing in your credit card number Or you're gonna be saying your credit card number and that's a pretty good target sound koma goes after that It's made of two pieces. One is the I think the deliver it's going to deliver and then sound come with the app So the first app are gathers audio from your microphone to over here You either saying your credit card number or typing it in it'll actually listen to the DTMF when you type in your your credit card number into The phone you figure wow, it's right there. They're sitting there and it's not something next to me see that my information It's the phone itself going after me now It doesn't need to do anything more than that to sound koma app But it does pass it to the second app to deliver which does something interesting it We it processes the sound the files because they know Processed out and sends them back out to over I think what it was exactly a very small amount of data Was it sound I forget? How how do they actually make money they they've got the fingerprint database for a number of credit card companies the interactive voice response System so they know okay This is the point where the user has hit the number and gone to like press one and two and the inner your credit card number stage He's okay We'll hit that we'll go off at that location and say okay We'll get together like say to the 10 seconds it takes him or toward 30 seconds Say the number and then we'll take that put on the on-desk and then scan that or process that in that Specific sound clip for the digits now their detection or their processing of sound is pretty good and it was able to get about Obviously condition number maybe they'll have a little little trouble with like 15 digits and like me the last number Maybe cut off or something depending on how long they record it But since you've got second digit and then they're only like nine digits. They could that it could that could be They think it's brought to them till they actually get your number very convenient very neat Very few for a few permissions not as many that as I believe as they show in their video something about a Torch application or a sound application nothing like that very limited and they can still do damage We have not seen this live in a real malware outside yet, but it looks very interesting It looks like people could do this in the market or in In the wild and we might eventually see this Thank you All right, and that's pretty much the rest of application We have references in the presentation for all the malware here with actual technical details and a bit more data on on the applications maybe a few images and We were references referencing the soundcomer presentation by the team at the Presented earlier I forget exactly what university are from because it was actually a bunch of people from a number of universities They got together and put this together very nice project is a video there and a few acknowledgments that people provide information on the Crimeware and the how people actually make money doing this people actually test this against us a feeder a bomb of I think it's oh Zero zero zero. Oh, thanks. I could show you pronounce the name of his thing. He did did he done a talk on From Russia would love dot exe where where we was an example of how Russian criminals were making money of PC malware and getting money from you And I also talked to Billy Lee and then Tom Panpan of anti white lives They probably learn more information on China and once again a team for the soundcomer and also Dr. Zhang of North Carolina State University who did found a bunch of disambles in the latter part of the presentation Another colleague John boo helped me out with the Chinese Mark it a little bit more and also Joe issue if you've seen his talk on fishing yesterday. He was quite helpful Clearing up a few details Were there any questions regarding any of these? Yeah The question is how did the hackers get to the premium rate get paid when they're doing the premium rate SMS attacks? Is that right? So you're asking if they run the premium rate service or are they getting it to a third party a little bit of both actually The premium rate service a bit understand in Russia. It's easy You're easy to get an anonymous premium rate number and have people dial that number and Collect the money and then disappear afterwards. So it's a little easy in certain markets to do that. Oh Understand we have to move to the QA room. It's track three QA. I think it's across the hall. Oh Thank you