Lookout’s ‘Operation Dragon Lady’ uncovers mobile malware industry

Russians have turned stealing money from Android smartphone users into an entire industry, according to a security app maker’s investigation.

Lookout Inc. studied how 10 Russian groups convince users to download what appears to be a legitimate mobile app. During the supposed download process, a computer code is run that sends a premium text message from the user’s phone. Premium text messages result in an extra fee at the bottom of phone bills, typically about $3 to $18 in this case. The hackers eventually get that money.

The organizations have built an impressive distribution chain, said Ryan Smith, senior research and response engineer at Lookout.

A few bosses build the malicious code. Thousands of foot soldiers customize and peddle them. Web developers and social media experts are paid to help distribute links to the malicious downloads.

PHOTOS: Top smartphones of 2013


The scam run by these organizations targets Russians and Eastern Europeans, especially those looking for pornography apps. The attack is less prevalent in the U.S. But Lookout wants to stay ahead of the curve, improve blocking features in its app and show the hackers that targeting Westerners will be a losing proposition.

“Russians are very smart and clever,” Smith said. “They are starting a trend showing that text-message fraud can be commoditized, and it’s important for us to look at their tools and tactics to keep it from spreading.”

The research firm MarketsandMarkets says Lookout’s mobile security app is the most used consumer app of its kind in the world, thanks largely to a distribution agreement with the leading phone maker, Samsung Electronics Co. Lookout claims 45 million users.

Google Inc., which leads development of the Android operating system, has released features to prevent premium text-message fraud. The newest version of its operating system, 4.3, provides three alerts before a premium text message is sent.

Phone carriers in the U.S. have stemmed the problem by waiting two months before turning money over to recipients. That gives victims plenty of time to fight the small, unknown charges. In Russia, Smith said, there is little delay between the sneaky sending of the message and the money transfer.

Lookout’s researchers had noticed that its app was catching several similar attempts to send text messages. The company began “Operation Dragon Lady” in December. Nearly a third of the apps were traced back to 10 organizations.

At the top, a few developers build the key technical parts of the app and create premium numbers. Others can log onto a website and customize the app. Lookout declined to publish the names of the websites, saying it did not want others to consider using them.

One website the company showed featured penguins cheerfully sitting on a phone that was pouring out gold coins.

“They want it to make it look fun and easy to do,” Smith said.

The sites make it a competition to distribute the app to as many as people as possible. Scoreboards show which users are raking in the most money. Smith said they even hold competitions, giving six-digit bonuses to top distributors.

During the customization process, distributors can make the apps mirror dozens of different apps, including games, browsers, instant messaging programs and porn.

They load special code onto malicious websites and then recruit people to help get links to the dangerous download pages. Smith said Lookout reported 50,000 Twitter accounts solely designed to draw people to the fake apps.

Some top distributors make $12,000 a month, Smith said. Others who put less effort in can walk away with a few hundred dollars.

Lookout doesn’t have any deals in Russia to make its app a default on new phones. Many Eastern Europeans also have older versions of Android. Still, the company said adding users in Russia was not an immediate focus. The U.S. and Western Europe remain the primary market for attracting people to its $30-a-year service.

The rare occurrence of text-messaging malware in the U.S. is more likely to come from enterprising individuals, Smith said. But text-message fraud is already becoming an issue in Southeast Asia.

“By having all this information available about distribution channels, we’re keeping a much closer eye on them,” Smith said. “As soon as they move, we move.”


Motorola unveils Moto X with 2,000 variations, including wood cover

U.S. adults spend two-plus hours a day thumbing on mobile devices

Sean Parker’s over-the-top wedding: Photos published in Vanity Fair