Android tech support scams? Not quite, but technical accuracy isn't a scammer's priority and Android users' money is as desirable as anyone else's.
If you read some of the recent reports based on an excellent article by Jérôme Segura for the Malwarebytes blog, you might have got the impression that tech support scams and scammers are finally moving on from Windows users (especially XP users) to target users of smart/mobile devices (smart phones, tablets). (Not to mention Mac users.) That isn’t quite what he’s saying, though, and it’s not really the case. While the scammers he describes have been luring potential victims by advertising tech help for Android, they’re still primarily using a remote connection to a Windows PC to trick victims into believing they need to pay them for fixing problems that don’t actually exist.
Nonetheless, there’s plenty of food for thought (or fraud) here.
- While there’s no absolute reason why a cold-call scammer couldn’t worm his way into the victim’s confidence by offering ‘help’ with Android, the scam described here does suggest a move we’ve hinted at before on this blog. As Segura suggests, this may be related to the fact that cold-calling is becoming decreasingly cost-effective as the number of people who’ve heard of the scam increases. As he says: “While paying for ads requires a certain budget, ads have the advantage of funnelling higher quality prospects because people are actually already experiencing an issue”.There is no shortage of dubious sites offering tech support, but as Martijn Grooten (of Virus Bulletin), Steve Burn (now also at Malwarebytes) and myself pointed out in a blog here some time ago, you can also find scam support resources in the form of Facebook pages and blog pages.
- The scammer in this instance didn’t show any particular knowledge of Android as a vulnerable platform – somewhat ironically, given Android’s established reputation as the ‘New Windows’ in terms of susceptibility to attack – but instead used a variation on known, older social engineering techniques executed through remote access to the PC with which the mobile device was paired. Rather than attempting more than a desultory check of the phone’s properties and storage, he badmouthed the inoffensive and indeed somewhat essential rundll32.exe Windows executable, claiming it was not only evil but somehow magically installed on the Android phone, (For a previous example of a scammer claiming that this file shouldn’t be found on an uninfected system, see Martijn Grooten’s article here.)
- He then performed a little delete/undelete sleight of hand with files from the prefetch folder. Not that prefetch misuse for this type of scam is at all novel, but there’s a bit of a twist here. The scammer claimed that the prefetch contents were malicious, but also used their disappearance and reappearance to ‘prove’ that there was a problem. In fact, sleight of hand is overstating it: it wouldn’t take much knowledge of technology to recognize that the scammer was doing something suspicious, but then this kind of scam isn’t aimed at people who know about technology.
- There isn’t a snowball’s chance in Hades that the scammer doesn’t know that what he’s doing isn’t legitimate. Actually, and referring back to cold-callers, I think we long ago went past the time for giving any of them the benefit of the doubt: nowadays, they tend to drop the call as soon as the word scam is spoken, rather than trying to justify themselves.
I have to agree with Segura, though, that it’s likely that scammers will move towards direct access to phones and tablets in the future, where possible. However, there may not be the same scope for the sort of trickery (like the misuse of prefetch, CLSID, Event Viewer, INF, and so on) that we've seen in recent years exploiting features of Windows.
In the meantime, here’s a thread to which Steve Burn drew my attention, regarding some sites that may be used by scammers as ‘proof’ of legitimacy.
David Harley
