Transcription
CYBERCRIMINAL IN BRAZIL SHARESMOBILE CREDIT CARD STORE APPAugust 2014RSA agents recently traced a threat actor advertising a mobile credit card storeapplication. The cybercriminal shared the information on his Facebook page, includingmethods for using the app and links for downloading it. Besides the obvious purpose ofselling compromised credentials, launching the application on a mobile device alsoprompts requests for user permissions, which can give the application the kind of controlover the device that is usually associated with malicious malware applications.RSA’s open source investigation revealed a cybercriminal openly advertising a CC store(Figure 1) designed as a mobile phone application for Android and iPhone devices (atranslation follows below).“Good evening everybody! Today I’ll show a projectthat I’ve been developing for some while. it’s anautomated credit card shop application that runson Android and iOS, using my web credit cardstore as database.Remember that I’m the first Brazilian programmer todevelop a mobile application that sells credit cards.My clients are increasing day by day and I hopethat this new system helps them on their shopping.The Android application is already nearly doneand the iOS one is 60% done (tested on Galaxy S5and iPhone 5S, if it doesn’t work on your mobile,send me a message with your model and I’llcheck!).This message is already long so I won’t be givingany more details. Below there’s the link for mywebsite to download the app and its link onGoogle Play!Don’t forget to install it on your Android, and nextweek I hope that iOS will get it too!”FRAUD REPORT
AVAILABLE IN THE OPEN MARKETThe application was made available as a free download on Google Play. The cybercriminalprovided the following instructions for using the app:–– Order a batch of CC credentials–– Enter personal info–– App will send banking info in order to make a deposit–– Wait 24 hours to make a transaction–– Take photo of the transaction deposit slip for proof, and send it to fraudster–– Receive CC credentials in return mailIn the CC shop website shared by the fraudster, there is a link that automatically startsdownloading the application (Figure 2). By clicking on the Android link, an Android binary (APK)is downloaded, but the iPhone link displays a message advising the user to wait for a week.A sample of screenshots from the app, with relevant translations, can be found below.1 Methods of payment:We accept only bank deposits. As soon as you makean order, an order number will appear on the screenwith the rest of your registration info and total sum tobe paid. After you make the order you have 24 hoursto make the payment and send the receipt (can be aphoto, scanned or digital receipt for financial@.).Remember that a few cents will be added to the sumto better track the deposit. The client will then receivean email confirmation. We can’t guarantee productavailability before the money is in the bank account.2 Delivery time:After the payment confirmation we expect a 2 hourdelay for sending the information. When thepayment is accounted for by our financial sector,the client will receive confirmation via email. Ourobjective is for your order to be delivered ASAP.Plan your shopping and choose the best deliverymethod according to your needs.3 Information exchange:Offering the best service to our clients with totalguarantee is the most important objective for us.We want you to have the best shopping experiencepossible, so we accept exchange or your moneyback with no cost.R S A M O N T H LY F R A U D R E P O R TButtons: “Agree” / “Disagree”.page 2
–– Order codeYour order was successfully sent!–– Name–– Check your email for deposit info.–– Email–– After the deposit, you’ll receive apayment confirmation in theCONFIRMATION menu–– Package: Gold–– Quantity: 10 units–– Payment method: Deposit–– Total value: R 700,15 (Real)Send orderANALYSIS OF THE MOBILE APPA deeper look into the Android application shows that it has potential to be used asmalware. Upon launching, the app requests a large number of permissions from the user,similar to permissions commonly seen in malicious mobile malware. Some of thepermissions requested include:–– Read and write in Calendar and Contacts–– Access your location (GPS and network)–– Call numbers–– Read and write to protected and to external storage–– Access to your camera and microphone–– Access to the device ID and phone statusAfter performing reverse engineering and static code analysis on the application, RSAagents discovered code that could indicate its use as malware. The app has the ability todownload and install new applications and functions (such as reading SMS, reading SDcards, etc.). This means the application can update itself later, installing additionalapplications that can make use of any of the above permissions.R S A M O N T H LY F R A U D R E P O R Tpage 3
Additional features revealed in analysis of the application:–– Upon opening the application, it spams the user with two different advertisementbanners.–– The app has access to the external storage, so it can store and install new applicationsin the external memory space.–– The app employs anti-SDK methods by reading the Android OS Specs to verify if it isrunning on a mobile device or on a virtual machine (laboratory testing environment).–– The app reads the country code and network operator code from the SIM card.–– Upon installation, the app attempts to access the SMS Service and read SMSmessages.It is important to note that the CC store application source code is not featured in theAndroid binary that was originally downloaded to the device. Instead, the applicationupdates itself as follows:–– When the application is launched, it downloads the necessary library from thefraudster’s server. The library contains the source code providing the functions neededto make the CC store accessible via the user device.–– The fraudster can change the source code from his side at any time, so that the userapplication can download a new version and use it without the need to be updated.–– In some cases, the library is not downloaded, even though internet access is available.This may be due to the app performing an anti-SDK check and only downloading thelibrary if it verifies that it is not running on a virtual machine.CONCLUSIONThis is the one of the first malicious apps developed by Brazilians for mobile. Thedifferent permission requests upon launching may be a sign that the app is also used asmalware. Ironically, since cybercriminals are the ones who will use this app to buy CCcredentials, they may also become” ripped” by the developers of the app as well.R S A M O N T H LY F R A U D R E P O R Tpage 4
AUGUST 2014Source: RSA Anti-Fraud Command CenterPhishing Attacks per MonthRSA identified 42,571 phishing attacks inJuly, marking a 25% increase from June.Based on this figure, RSA estimatesphishing cost global organizations 362million in losses in July.42,571AttacksUS Bank Types AttackedU.S. regional banks have consistently beenhit with 30 – 35% of phishing volume overthe last few months, targeted by about oneout of every three attacks.Credit UnionsRegionalNationalTop Countries by Attack VolumeThe U.S. remained the most targetedcountry in July with 63% of phishingvolume. China, the Netherlands, the UKand France were collectively targeted by20% of total attacks.63%6%5%4%R S A M O N T H LY F R A U D R E P O R TU.S.ChinaNetherlandsUKpage 5
Top Countries by Attacked BrandsBrands in the U.S., UK, Canada, and Indiawere targeted by half of all phishingattacks in July.U.S.29%UK11%36%Top Hosting CountriesThere was a surprising spike of hostedphishing attacks in Hong Kong in July at13%, while the U.S. continued to remainthe top hosting country at 36%, despite a7% decline from June.13%6%5%GLOBAL PHISHING LOSSESJULY 2014Mobile Transactions and Fraud (Q2 ’14)33%In Q2, 33% of banking transactions channel. originated in the mobileThis marks a 20% increasein mobile traffic from 2013, and a 67% increase from 2012. Among total transactions, one out fraud transactionsevery four identifiedwas initiated from a mobile device.33%2%R S A M O N T H LY F R A U D R E P O R T25%page 6
CONTACT USTo learn more about how RSA products, services, and solutions help solve yourbusiness and IT challenges contact your local representative or authorized reseller –or visit us at www.emc.com/rsawww.emc.com/rsa 2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMCCorporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respectiveholders. AUG RPT 0814
– The app employs anti-SDK methods by reading the Android OS Specs to verify if it is running on a mobile device or on a virtual machine (laboratory testing environment). – The app reads the country code and network operator code from the SIM card. – Upon installation, the app
