Google’s proud of its track record in protecting more than one billion Android phones and tablets from malevolent hackers. But in the last 12 months, it’s been dealt a few blows, including the biggest ad fraud to ever hit its mobile operating system and the most significant single theft of Google accounts thanks to an Android malware called Gooligan.
Those alarming events were set off via networks of cybercriminals focused on the platform, where coders combine their technical skills with the will and financial backing of organized gangs. Sometimes, the latter group don’t even have to pay for the former’s digital tools. Sometimes, the technically-savvy types open their minds for free.
That’s just what a character calling himself Maza-In did just before last Christmas, when he or she posted an in-depth guide on the Exploit.in hacker forum for creating Android “bankers” – malware designed to steal bank login details from users of Google’s platform. The post not only included directions, but source code for a banker too. There was also a description of the required backend infrastructure, all of which combined could deliver realistic-looking bank pages designed to trick victims into handing over their usernames and passwords.
And now, Android security experts have pinned a spike in banking malware on Maza-In and that post. They claim that Maza-In, in one fell swoop, caused a sudden leap in Android banking fraud, as cybercriminals took that open sourced code and adapted it to spread both in and outside Google’s official Play store. According to an independent researcher going by the moniker b0n1, as many as 60 variants of malware containing the Maza-In banker have been pushed out into the wider world by hackers hoping to make some easy money.
Check Point, which has been tracking the mini-explosion in Android bank fraud with ElevenPaths, a Telefónica security unit, told Forbes it had records of several dozen servers operating Maza-In’s malware, the largest of which controlled close to 3,000 bots. ElevenPaths said that, from Google Play alone, downloads of apps based on Maza-In’s code stood at above 10,000 and expected to rise, not to mention the number of downloads outside the store.
Those aren’t massive numbers. But what Maza-In and those who adapted his work for their own machinations have proven repeatedly are flaws in Google Play’s security, namely the Bouncer technology that’s supposed to keep bad apples out. Just two weeks ago, a sample of BankBot, based on Maza-In’s creation, was seen inside Google Play initially disguised as a video downloader tool. On June 13th, a very similar looking video downloader was up on the market; underneath was, again, a banker using Maza-In’s work. Going further back to April, a malware called Charger, which also borrowed heavily from Maza-In, was doing much the same, but masquerading as a flashlight app inside the official store, ESET reported. All were removed from Google Play as soon as the tech giant was alerted, but not before thousands were infected.
“Before this Maza-In code, there were a lot of Android banking Trojans, for sure,” said ElevenPaths security researcher Sergio de los Santos. “But accessing the source code was not easy and this helps all kinds of people create variants and even get into Google Play. Giving a very simple and effective framework to create and manage your own banking Trojan opens the door to hundreds of profiles of attackers that want to get into business the easy way.
“Maza-in made it very simple to add different banks to attack, so you may see people from Latin America with their own samples focused on banks in there, UK people, Russians.”
A hacker responds
Maza-In says he is no cybercriminal, though. (As Maza-In uses a profile picture of Bob Marley, Forbes has chosen to refer to the hacker in the masculine). In an interview over encrypted chat, he said he only wanted to highlight weaknesses in Google’s operating system, not spawn a spike in Android cybercrime. He claimed, for instance, that despite security firms’ claims he was behind the BankBot banker, another individual was responsible.
Yet he was aware of the criminal use of his code, revealing others, whether they’d given the malware additional features or not, were selling it for between $2,000 and $3,000 a pop on the web’s underground markets. “I did not expect it to work out that way, that it would spread so much,” he told me in Russian (translated by Google Translate).
“I did not write an article to harm people… I’m interested in studying the holey Android, since Google is not able to make a good operating system… by this I wanted to show the vulnerability of the Android and thought that Google would take care of security.” Unlike security pros who disclose bugs in return for credit or monetary reward, Maza-In said he didn’t contact Google.
In describing just what he thought was wrong with Android security, he added: “The biggest problem is that the device can install any application, get full access to the device and can be substituted for fake banking applications [that can] intercept SMS [and] manage the device. In general, everything is possible.”
As for Check Point and ElevenPaths’ assessment he was a malware creator supporting criminal operations, Maza-In said they’d exaggerated. He even claimed to be working on an Android anti-virus application.
But whilst analysts from both firms agree there’s no evidence he’s actively exploiting Android devices, they say it’s clear he is a malware creator who’s not followed best practise in highlighting security issues. “The blog contains explicit evidence that Maza-in is indeed behind the malware. He also boasted about his malware not being caught until January on one forum,” said Daniel Padon, mobile security researcher at Check Point. According to Lookout Mobile Security researcher Michael Flossman, Maza-In is just one handle used by a crew of Android fraudsters running all the aforementioned fraud malware.
“If you really want to show how unsecure Android is, you write an article about it, you code a proof of concept, you contact the right people to spread the word,” said de los Santos, explaining his disbelief at Maza-In’s claims to innocence.”But creating a Trojan? Oh, come on.”
Whatever the hacker’s involvement in the murkier parts of the internet, he and those who took advantage of his guide have given Google a headache. The company didn’t respond to requests for comment. But with the frequent appearances of these bankers on Google Play, it’s apparent the company has some work to do to keep ne’er-do-wells out of the market and users’ Android devices. – Written by Thomas Fox-Brewster, FORBES STAFF