Tales of the Cyber Underground: The Case of the Stoned Cat (When Android Malware Gone Wrong)

The Case of the Stoned Cat (When Android Malware Gone Wrong)
The Case of the Stoned Cat (When Android Malware Gone Wrong)

Just one mistake on the underground forums could result in reputation ruin and a lack of sales.

Over the last month, two sources have been tracking the rise of a piece of Android malware charmingly called ‘Stoned Cat’. Its sellers made some big claims about their kit. First off, they said it was undetectable by anti-virus and firewall solutions. One also suggested it could only be removed if the victim reset their device to factory settings.

It would appear some rudimentary social engineering would be required in order to convince a target to download the malware, as the infection only visually manifested itself in the form of an Adobe Flash Player icon on the infected Android device. That icon can be customised if the buyer pays more money, however.

What’s New Pussycat?

In terms of functionality, the bot effectively gained administrator controls over the device, whilst passing on phone details to the attacker’s command and control servers, or to a specified phone number owned by the attacker, according to one of the forum adverts. That included phone number and geographical source. Text messages would also be intercepted and sent back to the buyer.

It was claimed the malware allowed the attacker to decide which messages the victim can see, so they could, for instance, siphon off bank messages to compromise accounts in multi-step attacks. It could also make phone calls, which could be used to call premium rate numbers and thereby make the crooks more money. And the malware tried to uninstall an application called Go SMS Pro, most likely because it couldn’t spy on text messages with that protection present.

Two different breeds of Stoned Cat were on offer, neither cheap. For the malware build and the control panel, the cost would be $1000. That goes up to $3000 for the addition of the tool’s source code.

One source believes the two sellers are working as part of the same developer team. And given the apparent high-level functionality of the malware, this appears to be a well-organised illicit operation. A promising future for the malware then?

Naughty Cat

Not so fast. Despite positive responses from customers in the forums in early January, it appeared at least one of the sellers has gotten cold feet, as another source told me at least one dealer seemed to have abandoned the offering. It’s unclear whether Stoned Cat is still up and running today, but it hasn’t become the big hit its creators had hoped it would be.

The reason is likely due to technical difficulties. A separate source said they had tested the malware and it simply wasn’t working as advertised. “Analysis revealed a pretty buggy piece of software that crashed every time we tried to execute it. It’s safe to say that its creators are failing to deliver on their promise”, the source said.

It would be no surprise if Stoned Cat’s owners had decided to pull their pet from stores due to flawed code. Not only would it get them a bad rep if they continued to promote dodgy software, they might face repercussions from those who paid thousands for the goods in the first place. The forums are incredibly well policed. Anyone who puts a foot wrong risks getting thrown out. Whilst there are hundreds of dark markets to choose from, limiting your options would hardly be sound business strategy.

Crooks Love Android

Though this Stoned Cat might be put down in the not too distant future, similar pieces of malware that do work have been bought and sold across the forums over recent months. “Android malware is popular, especially the kind that can help compromise the out-of-band devices. Being able to capture one-time passwords sent over SMS, or redirect incoming audio calls, is becoming standard procedure for most Trojan operators”, says one contact.

And we can expect more nasty types of malware similar to the type described by my source, especially now that the iBanking mobile bot had its source code leaked on an underground forum, according to RSA. The malware could be used to record audio, intercept text messages and redirect all calls to a specified number - features similar to those promised in Stoned Cat.

As seen with popular desktop malware, such as the infamous Zeus, when source code is leaked a whole load of innovation is born. Malicious software authors tweak their attacks to ensure anti-virus systems are rendered useless. This is one of the first times mobile malware source code has been leaked, however. And this means you should expect similar beasts to iBanking and Stoned Cat to hit the markets, and people’s phones, imminently.

What this all tells us is that sophisticated underground digital crooks working some of the most trusted dark markets are keen to exploit Android devices. Whilst we’re some way away from seeing mobiles being as attractive to criminals as Windows PCs, that day may come sooner than many had anticipated.



What’s hot on Infosecurity Magazine?