You are on page 1of 7

page 1

R S A MON T H LY F R A U D R E P OR T
F R A U D R E P OR T
CYBERCRIMINAL IN BRAZIL SHARES
MOBILE CREDIT CARD STORE APP
August 2014
RSA agents recently traced a threat actor advertising a mobile credit card store
application. The cybercriminal shared the information on his Facebook page, including
methods for using the app and links for downloading it. Besides the obvious purpose of
selling compromised credentials, launching the application on a mobile device also
prompts requests for user permissions, which can give the application the kind of control
over the device that is usually associated with malicious malware applications.
RSAs open source investigation revealed a cybercriminal openly advertising a CC store
(Figure 1) designed as a mobile phone application for Android and iPhone devices (a
translation follows below).
Good evening everybody! Today Ill show a project
that Ive been developing for some while... its an
automated credit card shop application that runs
on Android and iOS, using my web credit card
store as database.
Remember that Im the first Brazilian programmer to
develop a mobile application that sells credit cards.
My clients are increasing day by day and I hope
that this new system helps them on their shopping.
The Android application is already nearly done
and the iOS one is 60% done (tested on Galaxy S5
and iPhone 5S, if it doesnt work on your mobile,
send me a message with your model and Ill
check!).
This message is already long so I wont be giving
any more details. Below theres the link for my
website to download the app and its link on
Google Play!
Dont forget to install it on your Android, and next
week I hope that iOS will get it too!
page 2
R S A MON T H LY F R A U D R E P OR T
AVAILABLE IN THE OPEN MARKET
The application was made available as a free download on Google Play. The cybercriminal
provided the following instructions for using the app:
Order a batch of CC credentials
Enter personal info
App will send banking info in order to make a deposit
Wait 24 hours to make a transaction
Take photo of the transaction deposit slip for proof, and send it to fraudster
Receive CC credentials in return mail
In the CC shop website shared by the fraudster, there is a link that automatically starts
downloading the application (Figure 2). By clicking on the Android link, an Android binary (APK)
is downloaded, but the iPhone link displays a message advising the user to wait for a week.
A sample of screenshots from the app, with relevant translations, can be found below.

1 Methods of payment:
We accept only bank deposits. As soon as you make
an order, an order number will appear on the screen
with the rest of your registration info and total sum to
be paid. After you make the order you have 24 hours
to make the payment and send the receipt (can be a
photo, scanned or digital receipt for financial@...).
Remember that a few cents will be added to the sum
to better track the deposit. The client will then receive
an email confirmation. We cant guarantee product
availability before the money is in the bank account.
2 Delivery time:
After the payment confirmation we expect a 2 hour
delay for sending the information. When the
payment is accounted for by our financial sector,
the client will receive confirmation via email. Our
objective is for your order to be delivered ASAP.
Plan your shopping and choose the best delivery
method according to your needs.
3 Information exchange:
Offering the best service to our clients with total
guarantee is the most important objective for us.
We want you to have the best shopping experience
possible, so we accept exchange or your money
back with no cost.
Buttons: Agree / Disagree.
page 3
R S A MON T H LY F R A U D R E P OR T



Order code
Name
Email
Package: Gold
Quantity: 10 units
Payment method: Deposit
Total value: R$ 700,15 (Real)
Send order
Your order was successfully sent!
Check your email for deposit info.
After the deposit, youll receive a
payment confirmation in the
CONFIRMATION menu
ANALYSIS OF THE MOBILE APP
A deeper look into the Android application shows that it has potential to be used as
malware. Upon launching, the app requests a large number of permissions from the user,
similar to permissions commonly seen in malicious mobile malware. Some of the
permissions requested include:
Read and write in Calendar and Contacts
Access your location (GPS and network)
Call numbers
Read and write to protected and to external storage
Access to your camera and microphone
Access to the device ID and phone status
After performing reverse engineering and static code analysis on the application, RSA
agents discovered code that could indicate its use as malware. The app has the ability to
download and install new applications and functions (such as reading SMS, reading SD
cards, etc.). This means the application can update itself later, installing additional
applications that can make use of any of the above permissions.
page 4
R S A MON T H LY F R A U D R E P OR T
Additional features revealed in analysis of the application:
Upon opening the application, it spams the user with two different advertisement
banners.
The app has access to the external storage, so it can store and install new applications
in the external memory space.
The app employs anti-SDK methods by reading the Android OS Specs to verify if it is
running on a mobile device or on a virtual machine (laboratory testing environment).
The app reads the country code and network operator code from the SIM card.
Upon installation, the app attempts to access the SMS Service and read SMS
messages.
It is important to note that the CC store application source code is not featured in the
Android binary that was originally downloaded to the device. Instead, the application
updates itself as follows:
When the application is launched, it downloads the necessary library from the
fraudsters server. The library contains the source code providing the functions needed
to make the CC store accessible via the user device.
The fraudster can change the source code from his side at any time, so that the user
application can download a new version and use it without the need to be updated.
In some cases, the library is not downloaded, even though internet access is available.
This may be due to the app performing an anti-SDK check and only downloading the
library if it verifies that it is not running on a virtual machine.
CONCLUSION
This is the one of the first malicious apps developed by Brazilians for mobile. The
different permission requests upon launching may be a sign that the app is also used as
malware. Ironically, since cybercriminals are the ones who will use this app to buy CC
credentials, they may also become ripped by the developers of the app as well.

page 5
R S A MON T H LY F R A U D R E P OR T
Phishing Attacks per Month
RSA identified 42,571 phishing attacks in
July, marking a 25% increase from June.
Based on this figure, RSA estimates
phishing cost global organizations $362
million in losses in July.

US Bank Types Attacked
U.S. regional banks have consistently been
hit with 30 35% of phishing volume over
the last few months, targeted by about one
out of every three attacks.
Top Countries by Attack Volume
The U.S. remained the most targeted
country in July with 63% of phishing
volume. China, the Netherlands, the UK
and France were collectively targeted by
20% of total attacks.
42,571
Attacks
Credit Unions
Regional
National
63%
6%
5%
4%
Netherlands
UK
China
U.S.
AUGUST 2014
Source: RSA Anti-Fraud Command Center
page 6
R S A MON T H LY F R A U D R E P OR T
Top Countries by Attacked Brands
Brands in the U.S., UK, Canada, and India
were targeted by half of all phishing
attacks in July.
Top Hosting Countries
There was a surprising spike of hosted
phishing attacks in Hong Kong in July at
13%, while the U.S. continued to remain
the top hosting country at 36%, despite a
7% decline from June.
Mobile Transactions and Fraud (Q2 14)
In Q2, 33% of banking transactions
originated in the mobile channel. This
marks a 20% increase in mobile traffic
from 2013, and a 67% increase from
2012. Among total transactions, one out
every four identified fraud transactions
was initiated from a mobile device.
11%
U.S.
UK
29%
5%
13% 6%
36%
GLOBAL PHISHING LOSSES
JULY 2014
2%
33%
25%
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $
33
%
www.emc.com/rsa
CONTACT US
To learn more about how RSA products, services, and solutions help solve your
business and IT challenges contact your local representative or authorized reseller
or visit us at www.emc.com/rsa
2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
holders. AUG RPT 0814