Android malware in the open marketplace
Just a couple weeks ago, Chris DiBona, Open Source Programs Manager for Google, claimed that no real malware exists and that “Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM, and, iOS”. Well, let’s see about that.
Just a few hours ago, another group of malicious applications were removed from the official Android Market after we’ve alerted the Google’s security team to their presence. In addition to the official Android Market, these apps have also been available in around five "unofficial" markets. These are malicious apps that send premium SMS messages to numbers which users are charged a lot for. What’s more frightening is that this seems very similar to a case discovered just a few days ago. This one was was pointed out by Lookout mobile security and, as you can see in their blogpost, they were also talking about malicious apps that sent SMS messages to premium numbers. Clearly both groups of applications were created by the same person although published under different name.
Apps published by the developer Miriada Production may look like well known Android games (Angry birds, Need for speed, World of Goo and others) and users could be easily confused. For example, if someone tried to look for "Cut the rope free", this malicious application was in the fourth place in the search results. Of course, there are many signals that an app like this is a fraud but less experienced users may not be able to see this as clearly as we do. First of all, the size is only 56 KB for all games from this publisher. Secondly, the permissions are really strange, since the game needs to be able to send a SMS. And there are many others...
When a user installs this application, it starts to download a package from a remote server. This package actually does contain a real game. But, while doing this, the app is sending a SMS to a premium rate number. One interesting facet is that there is a different number for many countries in Europe, so it does not target Russian only. For example, within the Czech Republic, the SMS is sent to number 9090199 which charges about €4. In other countries, the amount charged is usually a bit less.
The app distinguishes between these countries based on their ISO and nearly 20 individual countries are affected - Armenia, Azerbaijan, Belarus, Czech Republic, Germany, Estonia, France, United Kingdom, Georgia, Israel, Kyrgyzstan, Kazakhstan, Liechtenstein, Latvia, Poland, Russian Federation, Tajikistan and Uganda. The developer of these fraudulent apps tries to justify what he does by including a Rules section where he explains that the app is actually charging you money. But let’s be honest, who reads these things? Also nothing like this is mentioned on the app download page on the Android Market.
Avast detects this kind of malware as Android:RuFraud and users of avast! Free mobile security are already protected.