Our original blog entry about an malicious version of an IncorporateApps Android application called “Walk and Text” generated some very contentious comments from the author/distributor/publisher of the legitimate application. So, we decided to rewrite the posting to make things a bit clearer:
One of our analysts received (from one of their friends) the SMS that you see down below. We thought it was intriguing and we decided to investigate. We found the infected “Walk and Text” application on the internet (it is not of course on the official Google marketplace) and tore it apart.
We initially thought it was just a classic Android Trojan. Since the bad guys do like to hide viruses/Trojans inside pirated applications, this seemed a very reasonable explanation. The application was also signed but with a profane signature and thus there was no way it would ever be published on a legitimate marketplace. It did two things. First, it sent the above-mentioned SMS to the contacts in the user’s Android phone contact book.
And now there is a third category: semi-fake antivirus. It’s not a blatant malware attack and may actually include a real antivirus application. From a strictly technical perspective, it might not even be called malware.
But one thing is clear: it is still taking money from consumers in a way that some would call fraudulent.
Recently, I got an email from the UK-based Computeractive about an irate customer wanting a refund on avast! Pro. It seems that the person went on the internet, searched for avast, and found a site offering special download services and videos. They ended up getting a messed-up computer and spending over $100.
And then there is the French Connection: avast2011.fr-01.net. Combining avast, the year, and a major French IT portal together into a very attractive domain name; hackers created Read more…
One of our users sent us a sample of rogue AV for analysis. He didn’t attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared: