Google developer accounts have long been a focus of attention for the cyber community for some time now. It’s little surprise that one of my security colleagues Brian Krebs recently identified the Google Play Store as a major hunting ground for these cyber criminals. Given all the well documented security issues surrounding Android, it’s little wonder we haven’t heard about this underground tactic sooner.
His research found that malware authors were prepared to pay $100 for a genuine Google Play account, so that they could engineer their malcode (SMS malware – see below) to work inside a legitimate app. This information is being shared on the dark web, IRC chat rooms and some invitation only forums. Google only charges just $25 for Android developers to sell their apps through the Play Store, however Google also requires accounts to be approved and linked to a specific web domain. Don’t mention the fact that Google Android allows developers to self sign code here folks!
Why are malware authors purchasing developer accounts?
Android SMS malware bot packs (including the premium SMS variety) are king right now on the dark web. This malware had the ability to intercept a One Time Passcode (OTP) authentication process (usually targeting banks that use mTANs for online banking) by asking the user to install a security certificate on a mobile device) then encourages the user to enter their mobile number which is then sent a fake SMS or HTTP (note not HTTPS) link to download the mobile malware. What makes this malware unique is that is can be loaded as an add-on to any financial malware family that supports Web injections.
Mobile malware packs (as in the PC world) can usually be customised and be used to target not just one financial institution but many others. In the instance mentioned above, the bot was targeting European banks that use mTANs (see bootnote), however this type of attack will not work here in the UK – UK banks don’t use mTAN authentication numbers.
Safe surfing folks!
Bootnote: mTANS – these are used by some online banking services as a form of single use one-time passwords (OTP) to authorize financial transactions. mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, the Netherlands, Poland, Russia, South Africa, Spain, Switzerland and some in New Zealand and Ukraine.