AN INVESTIGATION OF
RUSSIAN SMS FRAUD
RYAN W SMITH & TIM STRAZZERE
WHO ARE WE - RYAN W SMITH
• Senior Research and Response Engineer @
• Contributing member of the Honeynet Project
for more than 10 years
• Worked on automated x86/Windows shellcode
deobfuscation and malware sandboxing and
before starting Android reversing
• Previously spoke about scalable Android
reversing @ AppSec USA and IEEE HICSS
WHO ARE WE - “DIFF” @TIMSTRAZZ
• Lead Research & Response Engineer @
• Reversed the Android Market/Google Play
• Junkie for reversing mobile malware, creating
write ups and teaching other to help raise the
• Spoke previously about anti-/analysis/
decompilation/emulation at BH’11/12,
EICAR’12, HiTCON13, SySCAN ’13 etc.
WHY DEEP DIVE?
• Stats are extremely misleading; but get headlines!
• Did it just go from 100 samples to 163?
163 / 100 == 1.63 == 163%
• Diﬀerent (zip) hash? Diﬀerent (unique) sample?
• Correlation by SENDS_SMS is not good enough!
WHY DEEP DIVE?
• New hash != new “sample” -- need context!
• Impressive... “server-side polymorphism”
bebop:alphasms tstrazzere$ shasum *apk
bebop:alphasms tstrazzere$ shasum *.dex*
BEYOND SMS FRAUD - NOTCOMPATIBLE
• Interesting exercise in malware component
• Relates directly to PC malware
• Used mass compromised web sites,
compromised swaths of accounts (AOL, Yahoo,
etc.) for distribution (likely purchased?)
• Actively used for evading fraud detection
DRAG + DROP
Block by fraud detection
Infected proxy device, inside US
• Top 10 Russian SMS fraud organizations
account for over 30% of worldwide malware
• SMS Fraud is a diverse threat, and requires
• SMS Fraud has eﬀectively been commoditized
in Russia and has a thriving support system
• By taking a “full-stack” approach to tracking
these threats we avoid the typical “whack-a-
mole” AV strategy
THE GIANTS ON WHICH WE STAND
• Thanks to:
• The entire R&R and security team at
• The Honeynet Project
• Mila @ Contagio Dump
• @jduck @pof @osxreverser
@Gunther_AR @TeamAndIRC @cryptax
Keep in touch with