The malicious logic in a nutshellThe malefactors use a legit remote access tool for mobile devices called AirDroid. They try to dupe as many people as possible into installing the app and authenticating with credentials provided by the attackers. The main target audience is 25 year-olds and up. The idea is to transfer money from a card by sending a specific text message to a short number on behalf of the victim. While this service number varies for different banks, regular Google search helps find it in the blink of an eye.
Dissecting the hoaxThe hackers download the above-mentioned AirDroid app and install it on their PC. Before that, they create a Gmail account [email protected] and set a password test123. Then they announce a recruitment for the position of an application tester. It doesn’t take any particular skills to qualify for the “job” – those hired will only need to install the app and test how it works. The payment is 40-60 USD, depending on how long the testing will last. 50% of the amount is paid in advance. The criminals’ objective is to recruit as many people as possible by posting ads on various boards and social networks. There tend to be a lot of people who get interested in this pseudo job because the offer appears to be a lure. In response to the applicants’ messages, the rogues will provide the following information:
Hello and thank you for contacting us! The app is called AirDroid, it’s officially approved by Google Play and has been around for more than a year. Here’s what the job is about: our users have started complaining that the app doesn’t work right when their devices are being charged, therefore we need you to do the testing when your device is connected to the charger. We will try to identify and fix all the errors in one hour. Regarding the payment, it’s 40 to 60 USD, depending on the duration of the testing process. It won’t take more than one hour for sure, though. As soon as you install the app, we will pay 20 USD to your credit card in advance. If you’re okay with these terms, you’re welcome to join up and we’re looking forward to your response!In practice, a majority of those interested agree and ask about further steps. The thieves then send them the following message:
Download the app here: play.google.com/store/apps/details?id=com.sand.airdroid. Install it and log in with these credentials: username - [email protected], password - test123, so that our IT department employees can do their job and make the appropriate report.Note that those are the login details that the culprits used to register their fake account on the official AirDroid website. As you would expect, some of the applicants will opt in. Only those who realize it’s a remote access tool will quit at that point. Once an unsuspecting wannabe tester has completed the above steps, the crooks ask them which bank to transfer the money to and what their card number is. Having obtained these details, the fraudsters tell the victim that the testing process has started and instruct them to plug in the charger and move on with their day, emphasizing that the advance payment will be sent to their banking account within 15 minutes. Now that the victim is on the hook, the black hats launch the application on their PC, establish a remote connection with the target device and access the text messages. In some cases, they may ask the user to restart the application. That’s because the connection may be lost when the phone is idle for some time. All that’s left for the criminals to do is transfer money to their own account by means of SMS. The text message patterns vary for different banks. It can be something like TRANSFER 123456789101112 100. Once a secret confirmation code is received on the victim’s device, the crooks enter it as fast as possible to make sure the user doesn’t expose the fraud. The surreptitious fund transfers are usually made iteratively in relatively small portions. Most of these scoundrels take their OPSEC (operations security) seriously. They use fake cards to receive the stolen funds, use Tor and the best VPN providers, use a burner laptop and phone, utilize a password manager, and leverage a virtual OS launched from a thumb drive that they encode on-the-fly with TrueCrypt and can simply throw away. Again, the thieves’ main task is to manipulate as many people as possible, so they post “job offers” that appear too good to be true. Therefore, some reasonable paranoia will help you stay on the safe side. Don’t forget that there is no such thing as a free lunch.