November 4, 2011 By Armando Orozco

I don’t think it means what you think it means…

Websites Hosting Android Trojans  

By Armando Orozco and  Nathan Collier

Rogue Android apps are making their way into alternative markets. Yes, we’ve seen some malicious apps trickle through and they can be elusive. But we’re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request the user to send a bounty if they want the app. The interesting thing is that the websites they’re hosted on are very well put together and you can see that a great deal of time was put into creating them.

 The Websites

Click for Full Size

These well-crafted websites follow a similar layout; they have device reviews, app descriptions with screenshots, QR Codes and FAQs. So far, we’ve only found these websites aimed at Russian users, with the web pages written in Russian. The descriptions are similar to those in the Android Market and the screenshots appear to be taken from the market.  We are discovering that this network of SMS Trojans is fairly large.

Fake Installer Description

Legit Installer Description

Click to see full size images

The Threat

We’re calling these Trojans Android.SMS.FakeInst. We’ve found multiple variants but they all have the same objective. The Trojan informs the user that if they want to download the app, they must first agree to sending three premium rate text messages. In most cases the user will get the app they wanted but for a fee. Rates vary depending on country and carrier, but typically the three messages will go to different numbers with each charging a different fee.The screenshots below show examples of the screen when you first run the app and the rules you must agree to.

Using the premium numbers shown in the screenshots, the fees would be:

  • # 7151 range of   33.87-40.00 rub        US $1.10-1.30
  • # 9151 range of 101.60-140.42 rub      US $3.30-4.56
  • # 2855 range of 170.00-203.20 rub    US $5.52-6.60

Total cost

  • 137.17-383.62 rubles                  US $9.92-12.46

As you can see, that’s a pretty steep fee for an app you can get for free from the Google Marketplace. Even if it’s a paid app, the price is steeper than most and there’s no guarantee it will work correctly.

The permissions these apps typically request are READ_PHONE_STATE, SEND_SMS, RECEIVE_SMS and INTERNET; however, we have seen a few more sophisticated apps that request the same permission as the app they are impersonating.

It’s known that most Android malware is distrusted through alternative markets, but this is a whole new level. Choose your apps wisely and download from a trusted source. Check reviews, research the developer and verify permissions requested before downloading.

Share Button

Trackbacks

  1. […] to security firm Webroot, a lot of effort has been put into these sites. These well-crafted websites follow a similar […]

  2. […] to security firm Webroot, a lot of effort has been put into these sites. These well-crafted websites follow a similar […]

  3. […] to security firm Webroot, a lot of effort has been put into these sites. These well-crafted websites follow a similar […]

  4. BEWARE says:

    […] to security firm Webroot, a lot of effort has been put into these sites. These well-crafted websites follow a similar […]

  5. […] to security firm Webroot, a lot of effort has been put into these sites. These well-crafted websites follow a similar […]

  6. […] to security firm Webroot, a lot of effort has been put into these sites. These well-crafted websites follow a similar […]

  7. […] to security firm Webroot, a lot of effort has been put into these sites. These well-crafted websites follow a similar […]

  8. […] to confidence firm Webroot, a lot of bid has been put into these sites. These well-crafted websites follow a identical layout; […]

  9. […] quite vulnerable in today’s environment. We will see an increase in Android and iPhone attacks: rogue apps, malicious links, and spyware targeted at smartphones and tablets. It’s all about data, and […]

  10. […] know that Android malware is on the rise. Even Android users themselves seem aware of it; our mobile study also found that 13 […]

  11. […] malware on sites that are as convincing as the apps as we discussed in our November blog post, “I don’t think it means what you think it means…”, we are working hard to keep you protected, and with Webroot SecureAnywhere Mobile we promise […]

  12. […] been tracking rogue premium-sms Android apps for sometime now. Here’s an interesting site we came across offering a download […]

  13. […] them as Android.FakeInst and has been tracking these type of fake installer for over a year; here, here and […]

true