Evolution of Android Malware “The touch, the feel of being tricked into sending premium SMS messages, the worst feeling of our lives” (Part 3)

by

Share this news now.

by Nathan Collier

Android.SMS.FakeInst is a Trojan that aims to do one thing — trick users into sending premium SMS messages by pretending to be an install for an app.  Here’s how the scam works: The user sends three premium SMS messages in exchange for an app, but there is no guarantee that it will actually install anything after they already have your money.  These malicious apps are getting harder and harder to discern as malicious as the look and feel of these apps get better through newer iterations.  One variant of these Trojan apps, which comes from a known malicious site, looks better with each update.  Let’s start with one of the first iterations of this variant.

The icon looks fairly convincing:

Not very compelling with only simple text asking to agree to download:

Here’s the agreement stating it’s ok for them to steal from you… don’t think it quite works that way in our legal system:

The first iteration isn’t too compelling at all.  Let’s look at the next iteration.

Nice looking icon they have here

Oooo, a status bar!  This has to be legit, right?

There’s that pesky agreement again.

The app was more believable this time.  Nice touch with the status bar.  On to the last iteration we saw just last month in time for the Beta Google Chrome for Android release.

Say, that icon looks familiar!

WOW, looking shrap SMS.FakeInst!

Even the agreement looks more convincing with that clean looking ‘Start’ button

Each iteration looks better.  Nice to see the bad guys have more pride in their work as time goes by.  The lesson here is to read the rules and agreements, and if the agreement asks for three payments in the form of premium SMS messages and states that it assumes no liability for damages including loss of profits, it’s probably not legit.  With new variants of these SMS.FakeInst Trojans coming out every other day, and the bad guys hosting their malware on sites that are as convincing as the apps as we discussed in our November blog post, “I don’t think it means what you think it means…”, we are working hard to keep you protected, and with Webroot SecureAnywhere Mobile we promise our agreement won’t ask to you send premium SMS messages.


Share this news now.

Tags:



About the Author

Name: Nathan Collier
Role: Retired ThreatBlog Member

Share this news now.

Nathan was a Senior Threat Research Analyst for Webroot, having been with the company since October 2009.  He started has career working on PC malware, but now spends most of his time in the mobile landscape researching malware on Android devices.  Because of his early adaptation to mobile security, Nathan has seen the exponential growth of mobile malware and is highly experienced in protecting Webroot customers from mobile threats. He also enjoys frequently traveling with his flight attendant wife, Megan, and is a competitive endurance mountain bike racer in Colorado.


Share this news now.

Trackbacks

  1. [...] This has appeared many times as Flash Player 11, Flash Payer 10, FlashPlayer, etc. Webroot detects them as Android.FakeInst and has been tracking these type of fake installer for over a year; here, here and here. [...]