Skip to content

Russian App Fraud: The Case Against App Searches

Our 2Q 2013 Security Roundup states that premium service abusers are the most dominant among all malicious Android apps. They make up 40% of the global total of malicious app detections. Russia has become one of the main targets of premium service abusers, caused by the country's lack of standard app stores. This creates a demand not only for third-party app stores but also leads mobile users to search for free alternatives to paid recently released apps.

The predominant routine of premium service abusers is to secretly subscribe an affected device to premium services without the user's authorization or knowledge. This subscription leaves the user with unexpected charges, resulting in financial loss.

More information about premium service abusers can be found in a past edition of our Monthly Mobile Review entitled, "The Hidden Risk Behind Ad Networks."

The Scam

Cybercriminals capitalize on the demand for an alternative source of apps in Russia through certain methods. One of which is creating fake, malicious versions of legitimate apps. They offer these fake apps for free, peddling them via blackhat search engine optimization (SEO)-enhanced websites. Blackhat SEO campaigns push malicious websites to the top of search engine results when users go looking for legitimate apps.

Distribution of Apps Downloaded from Malicious Sites by Type

Other methods cybercriminals use to push malicious wares are short message service (SMS) spam and mobile advertisements. The former comes as unsolicited text messages that contain malicious links in the message body, while the latter pops out from game and social networking apps as well as mobile websites.

These inevitably lead to malicious websites—presented as blogs, app stores, or specific app download sites—that host fake apps. The domains these websites are hosted on predominantly come from the Czech Republic—more than 50% of them. Germany, the Netherlands, and Romania were found to harbor the remaining domains with shares of 9% from Germany and 4% each from both the Netherlands and Romania.

Top Countries Hosting Malicious App Sites

Regardless of how the malicious app was delivered, the outcome remains the same—users' devices are infected with malware that slowly drain their pockets of money.

Typical Premium Service Abuser Infection Chain

The end result? We found that 36% of all unique premium-service-abuser-infected devices came from Russia from November 2012 to May 2013. Victims from other Russian-speaking countries were also spotted, particularly Ukraine and Uzbekistan. It's also worth noting that despite the Russian language used by these premium service abusers, non-Russian-speaking countries also had their share of victims. Non-Russian-speaking countries, in fact, accounted for a 59.3% share, which is bigger than the primary target base.

Top 10 Countries Affected by Premium Service Abusers


Premium service abusers targeting Russia should be considered a cautionary tale. Risky activities like searching for free versions of legitimate apps should be avoided. User privacy, security, reputation, and user finances are at risk of being compromised.

Android is still plagued by an ever-present update problem that leads to vulnerabilities that allow malicious apps to hide in the background. This makes education about such risky behavior essential. The volume of Android malware also continues to exponentially rise, exceeding even our worst projections.

While premium service abusers are a clear problem for Russian mobile users, they will inevitably become an even bigger issue for other regions when cybercriminals move to the mobile platform as their primary source of income.

Connect with us on