March 6, 2012 By Nathan Collier

Evolution of Android Malware “The touch, the feel of being tricked into sending premium SMS messages, the worst feeling of our lives” (Part 3)

by Nathan Collier

Android.SMS.FakeInst is a Trojan that aims to do one thing — trick users into sending premium SMS messages by pretending to be an install for an app.  Here’s how the scam works: The user sends three premium SMS messages in exchange for an app, but there is no guarantee that it will actually install anything after they already have your money.  These malicious apps are getting harder and harder to discern as malicious as the look and feel of these apps get better through newer iterations.  One variant of these Trojan apps, which comes from a known malicious site, looks better with each update.  Let’s start with one of the first iterations of this variant.

The icon looks fairly convincing:

Not very compelling with only simple text asking to agree to download:

Here’s the agreement stating it’s ok for them to steal from you… don’t think it quite works that way in our legal system:

The first iteration isn’t too compelling at all.  Let’s look at the next iteration.

Nice looking icon they have here

Oooo, a status bar!  This has to be legit, right?

There’s that pesky agreement again.

The app was more believable this time.  Nice touch with the status bar.  On to the last iteration we saw just last month in time for the Beta Google Chrome for Android release.

Say, that icon looks familiar!

WOW, looking shrap SMS.FakeInst!

Even the agreement looks more convincing with that clean looking ‘Start’ button

Each iteration looks better.  Nice to see the bad guys have more pride in their work as time goes by.  The lesson here is to read the rules and agreements, and if the agreement asks for three payments in the form of premium SMS messages and states that it assumes no liability for damages including loss of profits, it’s probably not legit.  With new variants of these SMS.FakeInst Trojans coming out every other day, and the bad guys hosting their malware on sites that are as convincing as the apps as we discussed in our November blog post, “I don’t think it means what you think it means…”, we are working hard to keep you protected, and with Webroot SecureAnywhere Mobile we promise our agreement won’t ask to you send premium SMS messages.

Share Button

Trackbacks

  1. […] This has appeared many times as Flash Player 11, Flash Payer 10, FlashPlayer, etc. Webroot detects them as Android.FakeInst and has been tracking these type of fake installer for over a year; here, here and here. […]

true