Based on materials upstreamsystems.com
The penetration of smartphones and mobile internet is growing rapidly in emerging markets, giving shoppers more access to information. And it looks like a serious problem is growing in many countries: budget Android smartphones are sold with malware preinstalled to target ad fraud. As a result, for unsuspecting users, this turns out to be the following:
- Systematic collection and transmission of information to third party servers;
- Waste of the traffic they have;
- Fraudulent advertising that results in fraudulent transactions and wastes prepaid traffic.
Let's figure it out from the beginning
Operator billing, a payment method that allows mobile users to use services by replenishing their balance, is the only way for emerging markets to pay for these services. Now it's easier than ever for shoppers in emerging markets to pay online with just one click, thanks to the advanced technology used by mobile operators. No need to fill out long forms with personal data.
In general, online fraud is associated with misleading and provoking clicks, and scammers, using the payment methods offered by online advertising to increase sales, use software to create fake pages and provoke clicks. This affects advertisers as it lowers the actual cost of advertising. In emerging markets, this also affects end consumers, as clicks on unscrupulous ads lead to unwanted purchases and, therefore, affect traffic consumption, up to the full depletion of the prepaid limit.
Emerging markets have a number of differences that can clarify a lot:
Most people are not serviced by banks and are prepaid, they use their mobile account to pay for services.
The cost of traffic is relatively higher than in developed markets. For example, in Africa, 1 GB for prepaid plan owners is equivalent to 16 hours of work at the minimum rate.
Details of the investigation
Since November 2017, Upstream's Secure-D platform, which protects operators and their users from fraudulent transactions, has detected a large number of blocked payment attempts in Brazil originating from Android – smartphones sold under the Multilaser brand. At almost the same time, a similar thing was seen in Myanmar in Android – smartphones under the Smart brand.
Since it is more common for fraudulent attempts to originate from a specific IP address, this case was unusual in that the fraud was concentrated in two different countries on specific devices.
During this period, 45% of all attempted fraudulent transactions for the premium service (online gaming portal) in Brazil were carried out on Multilaser devices (despite the fact that Multilaser's market share is not so large). And 99% of all transaction requests from Multilaser devices in Brazil were blocked as fraudulent by the Secure-D fraud detection algorithm.
At the same time, in Myanmar, 8% of all fraudulent transaction attempts for the same premium service came from Smart devices (definitely the highest percentage for a single brand). And 98.5% of transaction requests from smart devices in Myanmar were identified as fraudulent.
Noticeably, transaction requests in Brazil and Myanmar were sent by the same application called com.rock.gota. The com.rock.gota app cannot be found on Google Play, and on their smartphones, users usually see it as Software Update or Mobile Care.
Analysis of com.rock.gota behavior
The Upstream analyst team has acquired a certain number of devices with a high rate of fraudulent transactions in offline stores in both Brazil and Myanmar. All such devices were preinstalled with the com.rock.gota application, it was identified as soon as the devices were turned on for the first time.
First, we studied the Multilaser MS50S smartphone, placing it in a 'laboratory' environment in which all traffic was recorded.
From the first start-up, the smartphone has transmitted data many times to and from the server with the URL http://api.rock.fotapro.com/, an insecure server located in Singapore with the Gmobi operator.
Gmobi, according to their website, is 'an advertising platform to monetize content and attract users around the world', which has reached '150 million installs in over 120 countries', headquartered in Shanghai (www.generalmobi.com) , declaring that its services are used in China, Taiwan, Southeast Asia, USA, India, Russia.
Continuing to monitor the Multilaser device without accepting the com.rock.gota user agreement or interacting with the application, the specialists analyzed network paths to identify multiple download requests for advertising materials (banners) in the background without the user noticing. One such case was requesting and downloading content from the URL http://cdn3.dd.fotapro.net/files/48649f226927c698a2074f127ea4e82a (still active at the time of writing).
And he leads on the Uber promo campaign, and it is not known whether this is an official campaign approved by Uber or not.
The pre-installed app com.rock.gota has been identified by Secure-D as attempting to fraudulently purchase services on behalf of users. It was previously described by Dr. Web and other sources as collecting information from the device, including email, GPS location (with the exact indication of the street, house number, city, country), unique device identifiers, information that can allow the most accurate identification of the device owner.
It is important to note that the application cannot be uninstalled by the user without rooting, which may void their device warranty.
Similar problems were found by Secure-D analysts in a subsequent study of the behavior of Singtech P10, Smart 12 4G Super Star and Sapphire H7S models purchased in Myanmar.
In addition to being an advertising platform, Gmobi provides mobile device manufacturers with FOTA (Firmware-Over-The-Air) technology, an alternative to Google's official offering, allowing device hardware upgrades over the air. Google requires vendors to pass certification before allowing them to use the official hardware upgrade path.
It looks like a number of manufacturers have chosen a solution from Gmobi. This in itself does not mean that they have preinstalled the program in order to commit fraudulent actions against their customers. But it proves that manufacturers need to have better control over the programs preinstalled on their devices.
Implications for users
Apparently, users in many countries were affected by the pre-installed com.rock.gota app, which resulted in:
- Systematic collection and transfer of their personal data to third party servers;
- Running out of their traffic, which is a huge problem in emerging markets where the cost of traffic is very high. So, in Brazil, for example, 1 GB on a prepaid tariff costs the same as 6 hours of work at the minimum rate;
- Fraudulent transactions using prepaid traffic are the only way to pay for services in emerging markets where most people are not served by banks. So, in Africa, 94% of the population has no connection with financial institutions.
Which markets were affected?
According to the research of specialists of Secure-D, people in eight emerging markets have suffered specifically from the described malware. Most of all in the last two months – in Brazil, Myanmar and Malaysia.
In Brazil, Secure-D recognized over 2 million fraudulent transactions originating from Multilaser devices in just one month (November 2017), associated with numerous services. These attempts account for 41% of the total 247,484 unique phone numbers from which they tried to fraudulently pay for one of the services.
At the same time, in Myanmar, Secure-D recorded over 114,000 fraudulent transactions originating from Smart devices. They make up 21% of the total 110,306 unique phone numbers from which they tried to pay for services fraudulently.
Conclusion
Since the malware was preinstalled, customers could not defend against the com.rock.gota app. Uninstalling it requires root access to Android, which is difficult for the average user. This solution is impractical and very few people can apply it, what to say about the average inhabitant of Brazil or Myanmar.
Secure-D uses machine learning in conjunction with payment processing workflows to protect mobile operators and their users from fraudulent transactions and traffic theft caused by all types of malware and other threats. The platform processes more than 100 million transactions per month, it has detected and blocked over 42,000 malicious applications, recognized more than 2.7 million smartphones affected by them.
Upstream worked with The Wall Street Journal to bring this story to the attention of users. Find out more here.