Today’s motley cybercrime economy is by no means unfamiliar grounds to those tasked with defending their organizations from its many nefarious devices. Cybercriminals congregate in underground forums and darknets globally, peddling everything a would-be cybercriminal could need, from identities and exploits to Web injections or a place to hide a botnet.

However, while many odd things are bought and sold in the dark enclaves of the Internet, it’s not often that one encounters the more comprehensive breed of toolsets for malicious purposes. One such discovery was recently made by the IBM Security Trusteer Researchers, who uncovered a new Android malware-spreading kit offered for sale in the Russian-speaking cybercrime community.

The vendor of the kit dubbed it “MazelTov” — only unlike the real term, which means “good fortune” in Hebrew, the effects of this botnet-building toolkit are exactly the opposite, at least for the victims.

What Is the MazelTov Toolkit and What Does It Do?

MazelTov is a toolkit — dubbed an “APK Download System” by its creator — that is designed to help cybercriminals upload and spread mobile malware to Android-based user devices, granting them control and providing them with statistics on their infection campaign’s success. The kit includes every possible commodity cybercriminals need on their quest to upload malware to third-party Android application markets and spread it from there to unsuspecting users.

Mobile malware, and the botnets formed by them, are not new per se, but the level of elaborated facilitation in toolkits such as MazelTov is rare. These types of turnkey, crime-friendly services put new capabilities into the hands of every cybercrime newcomer and help seasoned criminals branch out from their PC-based activities to harvesting mobile fraud.

In an interesting post discovered by the IBM Security Trusteer Researchers, MazelTov’s kit vendor starts off by pointing out to peers that “the Android traffic and malware installations market is growing rapidly. There are new and interesting ways to monetize Android installations.” And he is right.

The past two years have introduced mobile platforms to a plethora of malicious applications created for illicit financial gain. This was all made possible by compromising user devices, leveraging that foothold for launching malicious apps and ultimately turning that into money. From adware, spyware and click fraud to automating covert premium SMS or phone calls, stealing two-factor authentication codes or the almighty remote root access, six out of 10 mobile malware detections are related to programs capable of stealing users’ money.

Let’s take a look at what the MazelTov toolkit offers and how it facilitates launching Android malware infection campaigns. For $3,000 or the bitcoin equivalent, the customer will receive the following:

  • Registered developer accounts for the three leading Android markets (varying vendor’s choices);
  • Two ready-to-use registered domains;
  • A landing page template that can be used as a download site or drive-by download point;
  • A filtration and redirection system for Android devices made to filter out automated bots and unwanted guests (a cloaking of sorts);
  • A recommended method to increase infection rates through social engineering;
  • A Traffic Distribution System (TDS) to add bot filtering and ensure the fraudster’s website only receives unique visitors per desired geolocations, providing detailed statistics per time frame and per country and an ability to control different streams if one loads more than one unique APK at a time;
  • One month of paid Virtual Private Server (VPS) rental to be used for hosting the server side of the malware application;
  • Another VPS for hosting the landing pages, with a domain attached to it, and a website ready for a traffic distribution add-on;
  • A fully verified, ready-to-use fraudulent online wallet account for fraudsters to remain anonymous while paying to keep their apps running in the mobile market of their choice;
  • A user manual and consulting services on how to operate the toolkit in order to obtain immediate results (hence the infected Android devices);
  • Bonus access to a 24/7 automatic WebMoney exchange to the fraudster’s currency of choice.

Mobile Malware Is After the Money

Simply put, the MazelTov offering is an effective means to turning a piece of malware into an active infection campaign. Those using it can choose the type of malicious app to spread, but judging by the statistics, they will go after banking customers. Nearly half of all Android malware apps can steal money. Of those, 66 percent steal online banking transaction tokens, and the rest grab online banking credentials and credit card data, according to Kaspersky Lab.

As for the Android-based device users such services ultimately target, this progression is concerning because it directly affects their financial accounts and phone bills. The significant and rapid move to mobile devices for banking, payments and shopping has turned smartphones into the new hot spot for malware-enabled fraud. That’s exactly where cybercriminals focus their efforts and offerings nowadays.

The migration of cybercriminals from PCs to mobile has resulted in financial attacks against Android users more than tripling in 2014 and malware infecting as many Android devices as Windows laptops that same year. The outlook for 2015 calls for more of the same.

With these statistics and forecasts, financial institutions that offer mobile banking and mobile payment to customers — as well as e-tailers and organizations whose business growth relies on mobile apps — should address this increased risk by hardening their applications from within.

Financial services providers and organizations that wish to learn more about protecting their mobile apps, the Android user base and the adverse effects of mobile malware may be interested to read about IBM Security Trusteer Mobile SDK™.

Another Escalation in Mobile Threats

The advent of a highly instrumental offering such as MazelTov in the cybercriminal underground is an escalation that contributes to the prevalence of massively spread mobile malware and the risks that arise from it. The IBM Security Trusteer researchers continue to follow underground discussions and keep readers up-to-date on trends that affect the security of technology we use in everyday life.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…