Law enforcement officers in the UK, Germany, France, Belgium, Switzerland and the US have raided homes and arrested suspected users of the DroidJack smartphone malware.
The malware – also known as Android.Sandorat – is a remote-access Trojan (RAT) that is openly available on the internet for around $210. It enables cyber criminals to take control of Android smartphones undetected to monitor data traffic, listen in on calls and hijack the phone’s camera.
Other features include the ability to remotely copy files from device to computer, view all messages on the device, list all the contacts, get device and carrier details, and get the device’s last GPS location check-in and show it in Google Maps
The investigation was initiated by the German authorities and supported by Europol and Eurojust law enforcement officials from six countries.
Europol said it supported the investigation by providing analytical support and facilitating information exchange through the Joint Cybercrime Action Taskforce (J-CAT), hosted at Europol’s European Cybercrime Centre (EC3) in The Hague.
Source code for the malware was first put on sale on underground hack forums in December 2013 and was used in used in criminal activity targeting Polish online banking users through a phishing email in August 2014, according to Hacker News.
According to Symantec, DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid.
The joint EU/US operation is the latest example of international collaboration between law enforcement officers aimed at the creators and users of malware, rather than a response to particular cyber crimes.
There is a growing international consensus that tackling the developers, distributors and downloaders of malware is an effective way of tackling the growing problem of transnational cyber crime.
In October 2014, former EC3 head Troels Oerting said there were only around 100 kingpins who develop malware for all kinds of cyber criminals around the world.
“We roughly know who they are. If we can take them out of the equation then the rest will fall down,” he told the BBC.
In this latest case, the operation targeted only those who had purchased the malware. “Although most of us would probably like to see the authors of such malware punished in some way, it’s also clear that it’s important that those who are on the other side of the supply and demand chain are also discouraged,” independent security consultant Graham Cluley wrote in a blog post.
According to a report published by Europol’s EC3 in September 2014, the cyber crime support industry is becoming increasingly commercialised with specialists in the virtual underground economy developing products and services for use by other cyber criminals.
This means that would-be cyber criminals do not have to be technical experts. They can simply purchase and download the tools they need, prompting law enforcers to shift their attention to cutting cyber crime at source, by going after the tools and infrastructure that enables it.
Dismantling and disrupting criminal infrastructures behind illicit online services was one of the reports key recommendations for law enforcement organisations to address the evolving and trans-national nature of cybercrime in a diverse and flexible manner.
In October 2015, the UK’s National Crime Agency set up a sinkhole for Dridex malware to stop infected computers – known as a botnets – from communicating with the cyber criminals controlling them in conjunction with a US sinkhole operated by the FBI.