Cybercriminal in Brazil shares mobile credit card store app
RSA agents recently traced a threat actor advertising a mobile credit card store application. The cybercriminal shared the information on his Facebook page, including
methods for using the app and links for downloading it. Besides the obvious purpose of selling compromised credentials, launching the application on a mobile device also prompts requests for user permissions, which can give the application the kind of control over the device that is usually associated with malicious malware applications
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
RSA Online Fraud Report - August 2014
1. R S A MO N T H LY F R A U D R E P O R T page 1
F R A U D R E P O RT
CYBERCRIMINAL IN BRAZIL SHARES
MOBILE CREDIT CARD STORE APP
August 2014 RSA agents recently traced a threat actor advertising a mobile credit card store
application. The cybercriminal shared the information on his Facebook page, including
methods for using the app and links for downloading it. Besides the obvious purpose of
selling compromised credentials, launching the application on a mobile device also
prompts requests for user permissions, which can give the application the kind of control
over the device that is usually associated with malicious malware applications.
RSA’s open source investigation revealed a cybercriminal openly advertising a CC store
(Figure 1) designed as a mobile phone application for Android and iPhone devices (a
translation follows below).
“Good evening everybody! Today I’ll show a project
that I’ve been developing for some while... it’s an
automated credit card shop application that runs
on Android and iOS, using my web credit card
store as database.
Remember that I’m the first Brazilian programmer to
develop a mobile application that sells credit cards.
My clients are increasing day by day and I hope
that this new system helps them on their shopping.
The Android application is already nearly done
and the iOS one is 60% done (tested on Galaxy S5
and iPhone 5S, if it doesn’t work on your mobile,
send me a message with your model and I’ll
check!).
This message is already long so I won’t be giving
any more details. Below there’s the link for my
website to download the app and its link on
Google Play!
Don’t forget to install it on your Android, and next
week I hope that iOS will get it too!”
2. R S A MO N T H LY F R A U D R E P O R T page 2
AVAILABLE IN THE OPEN MARKET
The application was made available as a free download on Google Play. The cybercriminal provided the following instructions for using the app:
––Order a batch of CC credentials
––Enter personal info
––App will send banking info in order to make a deposit
––Wait 24 hours to make a transaction
––Take photo of the transaction deposit slip for proof, and send it to fraudster
––Receive CC credentials in return mail
In the CC shop website shared by the fraudster, there is a link that automatically starts downloading the application (Figure 2). By clicking on the Android link, an Android binary (APK) is downloaded, but the iPhone link displays a message advising the user to wait for a week.
A sample of screenshots from the app, with relevant translations, can be found below.
1 Methods of payment:
We accept only bank deposits. As soon as you make an order, an order number will appear on the screen with the rest of your registration info and total sum to be paid. After you make the order you have 24 hours to make the payment and send the receipt (can be a photo, scanned or digital receipt for financial@...). Remember that a few cents will be added to the sum to better track the deposit. The client will then receive an email confirmation. We can’t guarantee product availability before the money is in the bank account.
2 Delivery time:
After the payment confirmation we expect a 2 hour delay for sending the information. When the payment is accounted for by our financial sector, the client will receive confirmation via email. Our objective is for your order to be delivered ASAP. Plan your shopping and choose the best delivery method according to your needs.
3 Information exchange:
Offering the best service to our clients with total guarantee is the most important objective for us. We want you to have the best shopping experience possible, so we accept exchange or your money back with no cost.
Buttons: “Agree” / “Disagree”.
3. R S A MO N T H LY F R A U D R E P O R T page 3
––Order code
––Name
––Email
––Package: Gold
––Quantity: 10 units
––Payment method: Deposit
––Total value: R$ 700,15 (Real)
Send order
Your order was successfully sent!
––Check your email for deposit info.
–– After the deposit, you’ll receive a payment confirmation in the CONFIRMATION menu
ANALYSIS OF THE MOBILE APP
A deeper look into the Android application shows that it has potential to be used as malware. Upon launching, the app requests a large number of permissions from the user, similar to permissions commonly seen in malicious mobile malware. Some of the permissions requested include:
––Read and write in Calendar and Contacts
––Access your location (GPS and network)
––Call numbers
––Read and write to protected and to external storage
––Access to your camera and microphone
––Access to the device ID and phone status
After performing reverse engineering and static code analysis on the application, RSA agents discovered code that could indicate its use as malware. The app has the ability to download and install new applications and functions (such as reading SMS, reading SD cards, etc.). This means the application can update itself later, installing additional applications that can make use of any of the above permissions.
4. R S A MO N T H LY F R A U D R E P O R T page 4
Additional features revealed in analysis of the application:
–– Upon opening the application, it spams the user with two different advertisement banners.
–– The app has access to the external storage, so it can store and install new applications in the external memory space.
–– The app employs anti-SDK methods by reading the Android OS Specs to verify if it is running on a mobile device or on a virtual machine (laboratory testing environment).
–– The app reads the country code and network operator code from the SIM card.
–– Upon installation, the app attempts to access the SMS Service and read SMS messages.
It is important to note that the CC store application source code is not featured in the Android binary that was originally downloaded to the device. Instead, the application updates itself as follows:
–– When the application is launched, it downloads the necessary library from the fraudster’s server. The library contains the source code providing the functions needed to make the CC store accessible via the user device.
–– The fraudster can change the source code from his side at any time, so that the user application can download a new version and use it without the need to be updated.
–– In some cases, the library is not downloaded, even though internet access is available. This may be due to the app performing an anti-SDK check and only downloading the library if it verifies that it is not running on a virtual machine.
CONCLUSION
This is the one of the first malicious apps developed by Brazilians for mobile. The different permission requests upon launching may be a sign that the app is also used as malware. Ironically, since cybercriminals are the ones who will use this app to buy CC credentials, they may also become” ripped” by the developers of the app as well.
5. R S A MO N T H LY F R A U D R E P O R T page 5
Phishing Attacks per Month
RSA identified 42,571 phishing attacks in
July, marking a 25% increase from June.
Based on this figure, RSA estimates
phishing cost global organizations $362
million in losses in July.
US Bank Types Attacked
U.S. regional banks have consistently been
hit with 30 – 35% of phishing volume over
the last few months, targeted by about one
out of every three attacks.
Top Countries by Attack Volume
The U.S. remained the most targeted
country in July with 63% of phishing
volume. China, the Netherlands, the UK
and France were collectively targeted by
20% of total attacks.
42,571
Attacks
Credit Unions
Regional
National
63%
6%
5%
4%
Netherlands
UK
China
U.S.
AUGUST 2014
Source: RSA Anti-Fraud Command Center
6. R S A MO N T H LY F R A U D R E P O R T page 6
Top Countries by Attacked Brands
Brands in the U.S., UK, Canada, and India
were targeted by half of all phishing
attacks in July.
Top Hosting Countries
There was a surprising spike of hosted
phishing attacks in Hong Kong in July at
13%, while the U.S. continued to remain
the top hosting country at 36%, despite a
7% decline from June.
Mobile Transactions and Fraud (Q2 ’14)
In Q2, 33% of banking transactions
originated in the mobile channel. This
marks a 20% increase in mobile traffic
from 2013, and a 67% increase from
2012. Among total transactions, one out
every four identified fraud transactions
was initiated from a mobile device.
11%
U.S.
UK
29%
13% 6% 5%
36%
GLOBAL PHISHING LOSSES
JULY 2014
2%
33%
25%
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $
33%