Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Lookout Mobile has found 10 Russian companies running what could be the most mature mobile malware businesses yet — and they operate just like =Silicon Valley startups.

“This group of malware was accounting for over 30 percent of our overall malware detections and it has been steadily rising,” said Ryan W. Smith, senior research and response engineer at Lookout Mobile, in an interview with VentureBeat. “For PC malware we’ve seen these type of operating, but at this scale and sophistication, not for mobile.”

The company has been researching these businesses, which Lookout calls Malware HQs, for the last six months. They are predominately located in Russia and surrounding areas and make their money off of “toll fraud.” People become victims of toll fraud when they download a malicious app. That app then immediately starts secretly sending “premium text messages,” which are charged to your bill. When you pay the bill, the criminals get the money.

These HQs are the most sophisticated businesses Smith says he’s seen yet, and they’re structured just like any other business. Stripped down, the HQ creates a piece of mobile malware that looks like a popular game or app, such as Angry Birds. That HQ then has affiliates that distribute the app to their targets. When a target is hit, the affiliate gets a cut of the revenue.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

But it goes deeper. The HQ not only creates an app, but it updates it every two weeks with the latest code to help it run more smoothly and stealthily.

Affiliates can customize the malicious app as well. Meaning, an affiliate, who is trying to target a specific group of people, can pick and choose different features — such as the type of app (gaming, pornography, other) — it believes will be most successful.

On top of that, the HQ provides contests, tips, and blog posts to keep the affiliates informed and enjoying their “work.”

Lookout doesn’t know how much the HQs make in malware revenue every year, but Smith explained that one of these affiliates makes $12,000 a month for five months. That’s a lot of success.

Smith would not say whether or not Lookout Mobile had alerted the Russian government to these businesses, citing that he could not reveal details about an ongoing investigation. He did, however, explain that in past research projects, the group has worked with various CERTs (computer emergency response teams). In this case, Lookout is actively working with Google and Twitter, who unknowingly circulate the malware, in order to cut off these businesses distribution centers.

And it seems these partners are responsive to Lookout’s advice. Smith says in the past, Google has taken malicious material out of the Google Play store in the same day.

But cutting off the affiliates is like attacking a hydra. Shut one down, and three more pop up. That’s why Lookout is going to continue its research until it finds that “key piece.” And, there’s a lot more to research. It seems these HQ businesses get even bigger — they have parent companies. These parent companies can take the form of malware conglomerates that run mobile campaigns, PC campaigns, and more.

While these companies have tried to move West, however, they’ve been stymied, retreating back into Eastern Europe. That may be because some countries, such as the U.S., have longer grace periods for refuting a premium text message before payment is issued. Which means customers have more time to notice suspicious activity on their bills.

Still, these companies represent a possibility for those who are perhaps more advanced. They could be a model for some enterprising person who can figure out a way around some of these roadblocks.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.