English
Français 
Deutsch 
Italiano 
日本語 
Русский 
Español 
Čeština 
polski 
Português 
Türkçe 
Ukrainian Archive
Android is calling: Walk and Text and be Malicious
Our original blog entry about an malicious version of an IncorporateApps Android application called “Walk and Text” generated some very contentious comments from the author/distributor/publisher of the legitimate application. So, we decided to rewrite the posting to make things a bit clearer:
One of our analysts received (from one of their friends) the SMS that you see down below. We thought it was intriguing and we decided to investigate. We found the infected “Walk and Text” application on the internet (it is not of course on the official Google marketplace) and tore it apart.
We initially thought it was just a classic Android Trojan. Since the bad guys do like to hide viruses/Trojans inside pirated applications, this seemed a very reasonable explanation. The application was also signed but with a profane signature and thus there was no way it would ever be published on a legitimate marketplace. It did two things. First, it sent the above-mentioned SMS to the contacts in the user’s Android phone contact book.
Attack of the semi-fake antivirus
We know what fake antivirus is: malware posing as real antivirus while hijacking your computer and wallet. Then there is real antivirus: applications such as avast! and our competitors.
And now there is a third category: semi-fake antivirus. It’s not a blatant malware attack and may actually include a real antivirus application. From a strictly technical perspective, it might not even be called malware.
But one thing is clear: it is still taking money from consumers in a way that some would call fraudulent.
Recently, I got an email from the UK-based Computeractive about an irate customer wanting a refund on avast! Pro. It seems that the person went on the internet, searched for avast, and found a site offering special download services and videos. They ended up getting a messed-up computer and spending over $100.
And then there is the French Connection: avast2011.fr-01.net. Combining avast, the year, and a major French IT portal together into a very attractive domain name; hackers created Read more…
Defense center and a piece of luck
One of our users sent us a sample of rogue AV for analysis. He didn’t attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared:
avast! on Twitter
avast! on Facebook