Symantec security researchers are seeing cyber-criminals increasingly using Twitter as a way of luring mobile device users to their malware.
In a March 12 post on Symantec's blog, company employee Joji Hamada said that tweets are becoming a popular way for cyber-criminals to bring people to the Android.Opfake malware.
"Users can potentially end up infecting their mobile devices with Android.Opfake by searching for tweets on subjects such as software, mobile devices, pornography or even dieting topics, to name a few," Hamada wrote. "Android.Opfake is not hosted on the Android Market (Play Store) and these tweets lead to malicious Websites developed for the Opfake application."
These tweets, Hamada said, usually have short URLs, and are primarily written in Russian, with some English mixed in. In addition, once the users get to the site, they're prompted to install the malicious code. However, while those are common aspects of most cyber-criminals using Twitter, their individual tactics vary, making it difficult to determine which tweets are bad, short of actually clicking on the link.
In the blog post, Hamada gives several examples of malicious tweets.
He also outlines other characteristics of malicious tweets, though cautions that they can vary wildly. Some, Hamada said, can be more easily spotted because similar tweets are being sent out constantly and have no followers. That said, there are others that don't tweet as often and do have followers. Some have content in the profiles, while others don t. Some have strange account names, but other account names are pretty common.
Again, Hamada in the blog post shows some of the more easily recognizable bad accounts.
Symantec is finding that there are malware operations that are running continuously, with some being executed at the same time. Hamada pointed to a recent operation that ran for eight hours and included more than 130,000 tweets from about 100 accounts before it stopped. Another that occurred at the same time sent out more than 1,500 tweets from more than 50 accounts in about an hour.
"There were other minor operations taking place as well," he said in the blog post. "However, I was unable to confirm the number involved."
Hamada commended Twitter for being responsive to findings of malicious tweets from Symantec, which reports to Twitter when it sees particular patterns in malicious tweeting. Symantec suggests to Twitter officials that they shut down such accounts. Twitter also offers a place where users can report if they suspect an account is nothing more than spam.
Hamada said those cyber-criminals running malicious tweeting operations are now following a similar cat-and-mouse game that occurs with traditional malware. That is, security vendors update detections for malware, and the malware developers then update their malware.
"Cyber-criminals mix their game around, thereby making it difficult to recognize all bad tweets and most of all: they are persistent," he wrote.
He noted that Twitter's Help Center also offers tip on keeping a Twitter account secure.
"Smartphones have allowed users to access the Internet anytime, anywhere and perform tasks that were only possible using computers," Hamada wrote. "While the convenience provides so many great advantages, cyber-criminals are also taking this opportunity to accomplish their bad deeds. So be wary when using mobile devices. For tweets in particular, be selective when deciding which links in the tweets to click on. You may want to only trust tweets you are familiar with. Tweets are similar to email. You wouldn't open an email from an unknown sender and then click on the included link, would you? This usually means bad news and the same goes for tweets."
Hamada has been following the Android.Opfake malware. In a March 2 blog post, he noted that while the developers of the malware have targeted Android- and Symbian-based smartphones, they also are looking to target users of Apple's iPhone.
"We have come across a couple of Opfake Websites that, while hosting malicious apps that Symantec detects as Android.Opfake, are also designed to perform social engineering attacks on iPhone users," Hamada wrote. "The iPhone is designed to prevent the installation of applications outside of the Apple App Store. This makes life difficult for bad guys attempting to fool users into installing malicious apps in a similar manner to Android and Symbian devices. To get around this, the Opfake gang has developed a social engineering trick that does not require apps to scam site visitors."