Originally malware was mainly designed to cause mischief or disruption. Today it’s all about the money. Surprisingly, though, the person whose device is compromised isn’t necessarily the financial victim. Instead hijacked mobile devices turn into cash-generating machines for malware creators by defrauding online advertisers.
A Major Problem
It’s no surprise that fraudsters want to target the digital advertising market. Research firm Zenith forecasts digital ad spending will total $225 billion by 2020, which will make up 44 percent of all forms of advertising. That’s a big incentive for malware creators to explore ways to steal money: after all, even a low ‘hit rate’ will still reap the immoral rewards.
As just one example of the scale of the problem, consider Secure-D’s real-time malware blocking technology. Last year alone it identified more than 30 million people whose devices had been infected.
How It Works
Malware designed for mobile ad fraud follows a four-step recipe… but sometimes there’s a sneaky short cut.
Step 1: Distribution
With desktop computers, malware creators often rely on misleading links, ‘drive-by downloads’ or bogus attachments to distribute malware. In the mobile world there’s a much easier route: tricking the user into intentionally downloading and installing an infected app. The easiest way to do this is to create what looks, feels and even runs like a legitimate app, but carries out its dirty work in secret. For example, a ‘flashlight’ app may do exactly what it claims… but plenty more as well.
Step 2: Permissions
In theory, systems such as Android protect their users through a permissions-based access. The idea is that users have to approve specific categories of access for an app so that it can’t get unauthorized access to resources or data. It’s a great idea in theory but in practice, users don’t always pay full attention to what permissions an app asks for.
Sometimes this is a matter of trust: if an app looks legitimate, the user assumes the permissions must be necessary. Sometimes it’s just human nature with the user tapping through impatiently so they can get the app working.
But often it’s a case of malware creators taking advantage of the way users don’t appreciate exactly what the permissions terminology means. Agree to “Device Administrator” and you’ll have to figure out a mystery setting before you can uninstall the app. Agree to “SYSTEM_ALERT_WINDOW” and you could find unwanted windows overlaid on your screen ready to trick you into typing in personal details or mistakenly tapping links.
Step 3: Getting To Work
Once installed, mobile malware becomes part of a botnet of infected devices. Running in the background without the user’s knowledge, the malware will visit websites, click on banner ads, and even simulate a real person going through the subscription process and even overriding the two-step authentication process. It’s all designed to claim fraudulent payments from advertisers for the bogus traffic.
Step 4: Staying Hidden
The key to successful mobile malware is continuing to operate without the device user becoming suspicious. Tricks include making sure the app’s supposed main functionality continues to work as promised and avoiding excessive battery drain that could provoke the user into uninstalling the app or investigating further.
The Shortcut: Preinstallation
Some malware creators make their work even easier by getting malware onto phones before the owner even gets them, skipping the download step altogether. One route is to take advantage of buyers in developing countries by putting the malware on cheap handsets.
To give an example, Secure-D found a pre-installed app on handsets in Brazil and Myanmar. Titled com.rock.gota, the app ran the moment users turned on the phones and began sending encrypted data to a server located at url api.rock.fotapro.com, which points to an unsecure server located in Singapore and operated by Gmobi. Secure-D findings on pre-installed malware on Android smartphones was also displayed on the Wall Street Journal.
Follow The Money
It’s easy to be confused by the way mobile ad fraudsters make their money. The phone owner doesn’t always suffer any huge financial loss, though they could see both their phone resources and their data allowance eaten up as a result.
Instead the most common method is to use the infected machines to secretly visit websites that exist mainly to carry advertising, usually provided by an advertising network such as Google Ads. As with legitimate publishers, the site owners get a payment fee from the advertisers every time somebody clicks on one of the ads. The advertisers naturally assume these clicks come from real humans rather than the malware.
In this set-up, the website owner is working in partnership with the malware creators. They collect the money from the bogus clicks, then pass on a share of the ill-gotten gains to the malware creators.