Baddies' brilliant plan to get mobile malware whitelisted: Bribery

Criminals have resorted to bribes in order to smuggle malware into the source code of mobile gaming apps.

The scam, in which malware authors bribed the employees of a legitimate mobile games company in China to embed malware into mobile apps, was uncovered by security researchers from Check Point.

The bribe ensured that malicious software was whitelisted (i.e. approved for download without scanning) by Qihoo 360, China's biggest antivirus software firm. This meant that Chinese users of Qihoo 360 installed the malware-infected apps from third-party app stores without receiving malware warnings, because Qihoo “trusted” the apps from the unnamed games developer.

Crooks made money from devices infected by the mobile app to steal money from users’ online payment accounts on transactions made through Taobao.com, a marketplace similar to eBay. The complex fraud involved multiple stages, as explained in a blog post by Check Point researcher Feixiang He.

Customers browse buyer listings of products and, when they find something they want to buy, they initiate the purchase by sending a picture of that item back to the buyer using Aliwanwang, an instant messaging app. Money is then exchanged using Alipay, Aliwanwang’s payment platform.

An attacker, disguised as a Taobao.com customer, would take a seller’s legitimate photo and inject it with a whitelisted Trojan. The seller would open the picture on a PC and become infected because the Trojan would not be detected by Qihoo anti-virus.

The attacker would then request a refund from the seller, requiring the seller to log in to their Alipay account. The Trojan would then keylog their credentials, allowing the attacker to steal money from the seller’s account.

According to Check Point, this shows how even primitive malware might find its way into a “secure” network using tricks such as old-fashioned bribery. The security firm further argues that the incident provides evidence that “whitelisting” of apps or code is not secure – a lesson that also applies to trusted app stores, according to Check Point. ®