Malware developers paying $100 apiece for Google Play accounts

Independent security guru Brian Krebs said that he stumbled upon an Android malware developer on a semi-private Underweb forum, “who was actively buying up verified developer accounts at Google Play for $100 apiece.” By verified, that means that the account has been verified by Google as legitimate and tied to a specific domain. Google charges $25 for Android developers to get started selling through the Google Play marketplace, offering a margin opportunity for the less scrupulous among them to sell of their credentials.

But malware authors can parlay their $75 investment into something much bigger.

“Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey,” Krebs noted. “The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.”

Dubbed Perkele, that particular malware costs $1,000 for a single-use application that targets one specific financial institution. Also, a universal kit goes for $15,000, “which appears to be an SMS malware builder that allows an unlimited number of builds targeting all supported banks,” Krebs said.

The scope of the problem is becoming too large to ignore. For instance, Kaspersky Lab found that 99% of newly discovered mobile malicious programs now target the Android platform, with a very small amount targeting Java- and Symbian-based smartphones.

To put that in perspective, consider the fact that Kaspersky tracked a negligible eight new unique malicious programs in January 2011, after which the average monthly discovery rate for new Android malware in 2011 went up to more than 800 samples. In 2012, Kaspersky identified an average of 6,300 new mobile malware samples every month. Overall, in 2012 the number of known malicious samples for Android increased more than eight times.

“Say what you will about Apple‘s closed or vetted iTunes store for iPhone apps, but it seems to do a comparatively stupendous job of keeping out malicious apps,” said Krebs.

He said that a bit of common sense and impulse control can keep most Android users out of trouble.

“Take a moment to read and comprehend an app’s permissions before you install it,” he counseled. “Also, make sure you download apps that are scanned through Bouncer (Google’s internal malware scanner). Finally, do a bit of due diligence before installing an app: Would you randomly grab some Windows program and install it without learning something about its reputation, how long it had been around, etc? Hopefully, no. Treat your phone with the same respect, or it may one day soon no longer belong to you.”

What’s Hot on Infosecurity Magazine?