An Android botnet affecting hundreds of thousands of Chinese users is netting its masters millions of dollars annually, according to security company Symantec.
The network of compromised mobile phones generates revenue from premium-rate fraud, Symantec said in a blog post on Thursday. "Revenue generation through premium SMS, telephony, and video services is... limited to the networks of China's two largest mobile carriers," said Symantec researcher Cathal Mullaney in the blog post.
On any given day, 10,000 to 30,000 customers of China's two largest mobile operators, state-owned China Mobile and China Unicom, are being fleeced by the premium-rate malware. The botmaster has been raking in profits at this level since September 2011, according to Symantec.
This is the first time Symantec has established an appreciable amount of money being made through Android botnets, Tom Parsons, senior manager, quality assurance at Symantec, told ZDNet UK on Friday.
"We're seeing the next stage in the evolution of Android botnets — [hackers] targeting premium rate SMS while having persistent control over a device," said Parsons. "We're seeing real money being made over this."
The application, which is available for download from third-party Chinese markets, prompts for permissions before installation.
Once installed, the app attempts to download a remote administration tool (RAT) that allows hackers to remotely control the device. The tool automatically connects to premium-rate services, and sends data that identifies the phone and the location of the user to the command-and-control server.
Data including IMEI and IMSI numbers, combined with the location area code and mobile network code, allow hackers to identify and locate the device.
The malware, which Symantec detects as Android.Bmaster, remotely deletes premium rate texts and videos in an attempt to hide the fraud from the user, said Parsons.
Symantec gained access to the server uploading the RAT, and found that the botmaster has "fine-grained control" over the devices, according to the blog post. For example, the botmaster can specify the number of times a device connects to a particular premium SMS number over a number of days. The botmaster can block incoming messages — for example, from network operators — that may alert the user to the scam.
Premium SMS numbers in China cost around $0.15 to $0.30 per message, said Symantec: 10,000 to 30,000 infected devices will generate between $1,500 and $9,000 (£950-£5,700) per day and $547,500 to $3.285 million (£347,500-£2m) per year.
The malware was documented in the wild on 3 February by Xuxian Jiang, an assistant computing professor at North Carolina State University, who called it 'RootSmart'. The malware fetches a root exploit from a remote server and executes the code to escalate privileges. Symantec said it had seen a number of Android bots including Pjapps, a Trojan that opens a backdoor to an infected device.
