Thanks to Eric Chien for his assistance with this research.
We recently came across a new piece of Android malware, first highlighted by NC State’s Xuxian Jiang, and began investigating the command-and-control (C&C) servers associated with the threat. The malware was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application.
Analysis of these servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands. The number of infected devices able to generate revenue on any given day ranged from 10,000 to 30,000, enough to potentially net the botmaster millions of dollars annually if infection rates are sustained. Profit estimations can be found in the "Revenue generation" section below. So far, the botmaster has been operating at these rates since September 2011. The botnet targets mobile users in China (the Trojanized application is only available for download from third-party Chinese markets). Revenue generation through premium SMS, telephony, and video services is also limited to the networks of China's two largest mobile carriers. Since the botnet has been active for a considerable amount of time, the botmaster has already earned hundreds of thousands of potential dollars during its operation. Also, while this is not the first botnet of this type we have found, this is the first time we are revealing detailed information regarding profitable revenue generation.
Screenshot of the Trojanized application.
Botnet structure and size
Upon running the Trojanized application, both the original clean software and a malicious application (Android.Bmaster) are installed. Once the malware is installed, an outbound connection from the infected phone to a remote server is generated. The malware posts some user and phone-specific data to the remote address and attempts to download and run an APK file from the server. The downloaded file is the second stage in the malware and is a Remote Administration Tool (RAT) for Android, detected as Android.Bmaster. This type of malware is used to remotely control a device by issuing commands from a remote server.
We began investigating the server from where the malware was being served and discovered an additional 27 Android applications available for download. All of the discovered samples were found to be the malware Android.Bmaster. Judging by the timestamps of the available Android malware files, we were able to determine infections had been live from this command-and-control server from September 2011 to present day.
After analysis of other pages hosted on the remote server, we discovered what appeared to be a monitoring application for all the mobile phones infected with the Android.Bmaster malware. This was an incredible discovery, as it allowed us to determine the number of phones infected with the malware and the overall size of the Bmaster botnet.
Translated screenshot of the monitoring frontend.
By analyzing the information available on the remote server and reviewing the command-and-control panels, the amount of infected handsets appear to number in the hundreds of thousands. These numbers are based on querying the command-and-control data itself, taking into account the number of unique IMEI numbers discovered on the server’s monitoring pages. The command-and-control panel also graphs daily heartbeat pings from infected devices, and the data again indicates a botnet which numbers in the thousands.
Figure showing daily “heartbeat” numbers from infected devices.
The vast majority of infected devices belonged to Chinese customers. We also concluded the following data was transmitted by the malware:
The regional information transmitted by infected phones is reflected in the command-and-control panels investigated, as seen above. There is also evidence the infected phones can be configured by the botmasters to block all incoming messages from China's two largest mobile carriers. This is a technique used by previous Android malware, as it prevents customer service representatives from contacting infected customers. Inspection of the message center phone numbers (logged by the malware) indicates the customers were based mainly in China and surrounding areas.
Screenshot showing infected phones.
We previously mentioned the phone-specific and geographical information stolen by Android.Bmaster, however the capabilities of the malware are not limited to this type of data theft. As has been reported elsewhere, this type of remote administration application is capable of much more functionality. Since this is a Remote Administration Tool, the malware is capable of receiving commands from the remote server. We have seen evidence of functionality to send text messages, block incoming text messages, log details of outgoing phone calls (including duration and target phone number), generate outgoing phone calls, updating the command-and-control server it contacts, and log and generate WAP access. More alarmingly, this botnet appears to capture and store a large amount of this data on its command-and-control servers. We discovered evidence of the botnet logging which phones were infected by the initial stage of the threat, which phones had exploit attempts, and which phones were successfully exploited. We also discovered evidence of the botnet recording which infected phones could execute commands.
The motivation behind the botnet is financial. The botnet exists to force infected devices to pay for premium services (shown in the monitoring and administration pages on the command-and-control panel). The botnet is geared towards Chinese mobile customers on two specific networks. Although phones on other networks have also been infected, the botmaster places those phones in a “do not use” queue. The botmaster configures rules, based on geographical location and mobile operator, which controls actions taken by each infected device. A device connecting to the command-and-control server for the first time, for instance, is assigned a set of rules which match device type, malware version, geographical location, and mobile operator. The botmaster can then further configure these rules to specify which premium service the infected device should attempt to contact. Infected devices are then configured to send SMS messages to premium numbers, contact premium telephony services, and connect to pay-per-view video hosting.
The botmaster has a fine grained level of control over the infected devices. Depending on which premium service a device is attempting to contact, a number of configuration options are available to the botmaster. For example, an infected device can be configured to send messages to a particular premium SMS number at a specific rate (three a day, for instance) for a certain number of days. Devices connecting to premium video or telephony services can also be configured for how long they should connect to a premium phone number or pay-per-view website. The botmaster may also configure which incoming messages get blocked by the malware. This is typically used to block messages from mobile operators, but it is further configurable to prevent messages from premium services being returned to the device. This means the botmaster can configure infected devices to block any message with specific keywords ("on demand", "fee", etc.) that would potentially alert the infected user.
Active infection figures for January 1, 2012.
Although not every infected device is a good candidate for this type of functionality, a significant amount of infected devices are. The command-and-control frontend records how many devices are actively generating revenue on a daily basis. The figures for 02/06/2012 recorded 11,000 active devices generating revenue for the botmaster, whereas the figures for 01/01/2012 showed 29,000. The number of active, infected devices tend to range from 10,000 to 30,000 per day. Premium SMS numbers in China tend to cost around $0.15 to $0.30 per message, and while this may not seem particularly expensive, it quickly adds up when you factor in the number of the active, infected devices on the botnet and how most users likely would not notice the infection right away.
Taking our two example dates as the lower and upper bounds of the number of active infected devices, we can see the botmaster is generating anywhere between $1,600 to $9,000 per day and $547,500 to $3,285,000 per year the botnet is running. (A percentage of this revenue needs to be paid out for overhead costs, such as revenue sharing agreements for leveraging premium content channels.)
This is not the first example of an active, revenue-generating Android botnet we have seen. However, considering the huge market for Android apps, the availability of third-party app stores without security checks, and the massive revenue which can be generated from this type of botnet, Android.Bmaster’s million-dollar botnet certainly won’t be the last.