The Android:FakeInst family of malware seems to be never ending story. Its creators have been trying to trick users into sending premium rate SMS messages for several months now. Just a few days ago, we discovered 25 more apps placed on alternative markets that are all based on very similar concepts as was the one in the story we wrote about before Christmas.
This time malicious Android applications are hosted on several domains:
All these sites were registered a week ago so it looks like they were supposed to serve as a malware hosting for the bad guys from the very beginning. Also if someone tries to access these sites from the browser, the visitor only receives a 404 error message which does not look like a legitimate site. Analyzing the trail the malware creators left for us, we’ve discovered a few sites they have used in order to attract users and all of them target Russian speaking people and look like an alternative markets. In reality, these sites exist for a short period of time and offers only fake downloaders. Read more…
Just a couple weeks ago, Chris DiBona, Open Source Programs Manager for Google, claimed that no real malware exists and that “Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM, and, iOS”. Well, let’s see about that.
Just a few hours ago, another group of malicious applications were removed from the official Android Market after we’ve alerted the Google’s security team to their presence. In addition to the official Android Market, these apps have also been available in around five “unofficial” markets. These are malicious apps that send premium SMS messages to numbers which users are charged a lot for. What’s more frightening is that this seems very similar to a case discovered just a few days ago. This one was was pointed out by Lookout mobile security and, as you can see in their blogpost, they were also talking about malicious apps that sent SMS messages to premium numbers. Clearly both groups of applications were created by the same person although published under different name.
Apps published by the developer Miriada Production may look like well known Android games (Angry birds, Need for speed, World of Goo and others) and users could be easily confused. Read more…
Our original blog entry about an malicious version of an IncorporateApps Android application called “Walk and Text” generated some very contentious comments from the author/distributor/publisher of the legitimate application. So, we decided to rewrite the posting to make things a bit clearer:
One of our analysts received (from one of their friends) the SMS that you see down below. We thought it was intriguing and we decided to investigate. We found the infected “Walk and Text” application on the internet (it is not of course on the official Google marketplace) and tore it apart.
We initially thought it was just a classic Android Trojan. Since the bad guys do like to hide viruses/Trojans inside pirated applications, this seemed a very reasonable explanation. The application was also signed but with a profane signature and thus there was no way it would ever be published on a legitimate marketplace. It did two things. First, it sent the above-mentioned SMS to the contacts in the user’s Android phone contact book.