dragon lady

DRAGON LADYAN INVESTIGATION OFRUSSIAN SMS FRAUD

RYAN W SMITH & TIM STRAZZERE

Lookout, Inc.

Read the re

port

https://www.lookout.com/?utm_source=slideshare.net&utm_medium=content+marketing&utm_campaign=dragon+lady


https://www.lookout.com/resources/reports/dragon-lady?utm_source=slideshare.net&utm_medium=content+marketing&utm_campaign=dragon+lady


WHO ARE WE - RYAN W SMITH

• Senior Research and Response Engineer @ Lookout

• Contributing member of the Honeynet Project for more than 10 years

• Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing

• Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS

Read the re

port



WHO ARE WE - “DIFF” @TIMSTRAZZ

• Lead Research & Response Engineer @ Lookout

• Reversed the Android Market/Google Play Protocol

• Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar

• Spoke previously about anti-/analysis/decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc.

Read the re

port

https://twitter.com/timstrazz

https://twitter.com/timstrazz



WHY DEEP DIVE?

• Stats are extremely misleading; but get headlines!

• Did it just go from 100 samples to 163?163 / 100 == 1.63 == 163%

• Different (zip) hash? Different (unique) sample?

• Correlation by SENDS_SMS is not good enough!

Read the re

port



WHY DEEP DIVE?• New hash != new “sample” -- need context!

• Impressive... “server-side polymorphism”

bebop:alphasms tstrazzere$ shasum *apke780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apkbebop:alphasms tstrazzere$ shasum *.dex*14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-114e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-214e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3

Read the re

port



FAMILY INTEL.Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation

(non-commercial)

ALPHASMS BADNEWS

CONNECTSMS DEPOSITMOBI FAKEBROWS SMSACTOR

NOTCOMPATIBLE

Read the re

port



FAMILY INTEL.Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation

(non-commercial)

ALPHASMS BADNEWS

CONNECTSMS DEPOSITMOBI FAKEBROWS SMSACTOR

NOTCOMPATIBLE

FakeInst / SMSSend /Other generic name

Read the re

port



SAMPLE EVOLUTION IS IMPORTANT

e6d823...Packaged: 07-30-12

No obfuscation / cryptoDebug information available

ConnectSMS.a

00f35f...Packaged: 12-13-12

SMS Endpoints / URL cryptedDebug info stripped

Added contact exfiltration

ConnectSMS.f

355d6f...Packaged: 01-11-13

SMS Endpoints / URL cryptedDebug info stripped

Removed contact exfiltration

ConnectSMS.p

383069...Packaged: 04-03-13

SMS / URL remotely pull & decryptedDebug info re-added

ConnectSMS.s

SameCrypto

Read the re

port



• Underlying code still similar

• “Polymorphism” easily confused with “omg sky is falling”

• Trends across different distributing organizations

DECIPHERING OBFUSCATION

AlphaSMS

Read the re

port



AGILE THREAT RELEASES

Read the re

port



BEYOND SMS FRAUD - NOTCOMPATIBLE• Interesting exercise in malware component

commoditization

• Relates directly to PC malware

• Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?)

• Actively used for evading fraud detection

DRAG + DROPIMAGE HERE

Attacker

in Europe

Purchasing Service,inside US

Block by fraud detection

Infected proxy device, inside USRead th

e report



Read the re

port



CONCLUSIONS

• Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections

• SMS Fraud is a diverse threat, and requires careful categorization

• SMS Fraud has effectively been commoditized in Russia and has a thriving support system

• By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a-mole” AV strategy

Read the re

port



THE GIANTS ON WHICH WE STAND

• Thanks to:

• The entire R&R and security team at Lookout

• The Honeynet Project

• Mila @ Contagio Dump

• @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax

Read the re

port



Keep in touch with

@lookout

/mylookout

blog.lookout.com

[email protected]

http://bit.ly/dragon-lady



















https://twitter.com/Lookout

https://twitter.com/Lookout

https://www.facebook.com/mylookout

https://www.facebook.com/mylookout

https://blog.lookout.com/?utm_source=slideshare.net&utm_medium=content+marketing&utm_campaign=dragon+lady

https://blog.lookout.com/?utm_source=slideshare.net&utm_medium=content+marketing&utm_campaign=dragon+lady

mailto:[email protected]?subject=email%20subject

mailto:[email protected]?subject=email%20subject



dragon lady

Technology

sms url

obfuscation alphasms

alphasms tstrazzere

pc malware

lookout mylookout

malware sandboxing

mobile malware

evading fraud detection