Lookout has identified JollyBot, a piece of Russian malware designed to hide inside innocent carrier applications in order to commit premium rate SMS fraud. Unlike traditional SMS fraud trojans where the malware author builds code, selects an innocent app and infects it himself, Jollybot is distributed by its authors as a service, similar to our recent findings on Dragon Lady. Once subscribed to this service, these affiliate customers are provided a toolkit or “SDK” in order for them to do all the heavy lifting. These affiliates choose which apps to infect, insert the SDK and distribute them – all the high risk parts of this criminal enterprise. Jollybot’s authors can sit back and collect a revenue share from these affiliates as payment for their service.
Who is likely to be affected?
The risk of infection is low. Detection volumes are low and restricted to Russia and its surrounding countries. As with all premium rate fraud SMS malware, JollyBot is restricted to the countries where it its authors are able to register the premium rate SMS services necessary with telephone service providers compatible with their business model. The malware is only functional on devices connected to networks where malware authors have registered premium rate SMS services.
To date, the only site we have seen hosting the malware is “Spaces,” a popular Russian social networking site. Infected apps detected so far include popular games, utilities, pornography and ironically they have even repackaged security apps such as antivirus apps.
All Lookout users are protected from this threat.
Much like BadNews, JollyBot demonstrates the increasing complexity and sophistication of the operations behind these previously simple premium rate SMS fraud operations. In both cases, the malware operators have created a toolkit that allows them to enable hundreds or even thousands of affiliates to do the heavy lifting and accept most of the risks while they sit back and collect their share of the SMS revenues. JollyBot provides a low barrier to entry for novice fraudsters: a turnkey, easy to operate premium rate fraud operation.
How it Works
When the application starts, it sends identifying information about the device to the Command and Control (C&C) server, including IMEI, IMSI and phone number. It also sends a “partner ID,” which presumably is used to identify which “affiliate” the device is associated with.
There are two major commands accepted:
Send an SMS to a server-defined number
Update C&C servers: Authorizes new servers to send commands.
The most interesting aspect to this piece of malware is its well organized affiliate network and the technical integration the malware authors have undertaken to make this possible.
Figure 1 – Original Russian Language and Machine translated versions of the JollyBot affiliate site.
The SDK is promoted through a domain registered through an anonymous proxy services. The site allows affiliates and would-be affiliates to register, sign on and download their SDK. It also allows them to view and manage botnets and monitor their SMS fraud revenue share.
Figure 2 – Original Russian Language and machine translated versions of the affiliate site registration page.
The affiliate site is also heavily used for promotion, and features information such as revenue sharing data displayed to show how successful the JollyBot affiliate network is and how much money it makes. It seems unlikely that any of this information is accurate considering some of the wild claims they make, including “over 1000 infected applications in Google Play”.
Figure 3 – Spreadsheet from JollyBot affiliate site allegedly breaking down the distribution of revenue to affiliates.
Infected applications continue to poll the configured C&C servers every 60 seconds looking for fresh commands to execute.
How to Stay Safe
- Only install apps from trusted stores: Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download apps from being installed.
- Download a mobile security app like Lookout’s app that protects against malware as a first line of defense.