{"id":5392,"date":"2011-11-04T15:07:22","date_gmt":"2011-11-04T21:07:22","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=5392"},"modified":"2018-01-30T12:25:44","modified_gmt":"2018-01-30T19:25:44","slug":"i-dont-think-it-means-what-you-think-it-means-websites-hosting-android-trojans","status":"publish","type":"post","link":"https://www.webroot.com/blog/2011\/11\/04\/i-dont-think-it-means-what-you-think-it-means-websites-hosting-android-trojans\/","title":{"rendered":"I don&#8217;t think it means what you think it means&#8230;"},"content":{"rendered":"<p><strong>Websites Hosting Android Trojans \u00a0<\/strong><\/p>\n<p><strong>By Armando Orozco and\u00a0 Nathan Collier<\/strong><\/p>\n<p>Rogue Android apps are making their way into alternative markets. Yes, we&#8217;ve seen some malicious apps trickle through and they can be elusive. But we\u2019re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request the user to send a bounty if they want the app. The interesting thing is that the websites they\u2019re hosted on are very well put together and you can see that a great deal of time was put into creating them.<\/p>\n<p><strong>\u00a0The Websites<\/strong><\/p>\n<div id=\"attachment_5395\" style=\"width: 160px\" class=\"wp-caption alignleft\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/4site0.png\"><img aria-describedby=\"caption-attachment-5395\" decoding=\"async\" loading=\"lazy\" class=\"size-thumbnail wp-image-5395 \" title=\"fakeinst_website\" src=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/4site0.png?w=150\" alt=\"\" width=\"150\" height=\"109\" \/><\/a><p id=\"caption-attachment-5395\" class=\"wp-caption-text\">Click for Full Size<\/p><\/div>\n<p>These well-crafted websites follow a similar layout; they have device reviews, app descriptions with screenshots, QR Codes and FAQs. So far, we&#8217;ve only found these websites aimed at Russian users, with the web pages written in Russian. The descriptions are similar to those in the Android Market and the screenshots appear to be taken from the market.\u00a0 We are discovering that this network of SMS Trojans is fairly large.<!--more--><\/p>\n<table>\n<tbody>\n<tr>\n<td>\n<p><div id=\"attachment_5396\" style=\"width: 113px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/4site1.png\"><img aria-describedby=\"caption-attachment-5396\" decoding=\"async\" loading=\"lazy\" class=\"size-thumbnail wp-image-5396\" title=\"fakeinst_mal_screenshot\" src=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/4site1.png?w=103\" alt=\"\" width=\"103\" height=\"150\" \/><\/a><p id=\"caption-attachment-5396\" class=\"wp-caption-text\">Fake Installer Description<\/p><\/div><\/td>\n<td>\n<p><div id=\"attachment_5397\" style=\"width: 152px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/4site2.png\"><img aria-describedby=\"caption-attachment-5397\" decoding=\"async\" loading=\"lazy\" class=\"size-thumbnail wp-image-5397 \" title=\"fakeinst_legit_screenshot\" src=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/4site2.png?w=142\" alt=\"\" width=\"142\" height=\"150\" \/><\/a><p id=\"caption-attachment-5397\" class=\"wp-caption-text\">Legit Installer Description<\/p><\/div><\/td>\n<\/tr>\n<tr>\n<td>Click to see full size images<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>The Threat<\/strong><\/p>\n<p><strong><\/strong>We&#8217;re calling these Trojans Android.SMS.FakeInst. We&#8217;ve found multiple variants but they all have the same objective. The Trojan informs the user that if they want to download the app, they must first agree to sending three premium rate text messages. In most cases the user will get the app they wanted but for a fee. Rates vary depending on country and carrier, but typically the three messages will go to different numbers with each charging a different fee.The screenshots below show examples of the screen when you first run the app and the rules you must agree to.<\/p>\n<p><a href=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/11.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-5398\" title=\"fakeinst_sms_rules\" src=\"http:\/\/webrootblog.files.wordpress.com\/2011\/11\/11.png\" alt=\"\" width=\"506\" height=\"384\" \/><\/a>Using the premium numbers shown in the screenshots, the fees would be:<\/p>\n<ul>\n<li># 7151 range of \u00a0\u00a033.87-40.00 rub\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 US $1.10-1.30<\/li>\n<li># 9151 range of 101.60-140.42 rub\u00a0\u00a0\u00a0\u00a0\u00a0 US $3.30-4.56<\/li>\n<li># 2855 range of 170.00-203.20 rub\u00a0\u00a0\u00a0 US $5.52-6.60<\/li>\n<\/ul>\n<p>Total cost<\/p>\n<ul>\n<li>137.17-383.62 rubles\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 US $9.92-12.46<\/li>\n<\/ul>\n<p>As you can see, that&#8217;s a pretty steep fee for an app you can get for free from the Google Marketplace. Even if it&#8217;s a paid app, the price is steeper than most and there&#8217;s no guarantee it will work correctly.<\/p>\n<p>The permissions these apps typically request are READ_PHONE_STATE, SEND_SMS, RECEIVE_SMS and INTERNET; however, we have seen a few more sophisticated apps that request the same permission as the app they are impersonating.<\/p>\n<p>It&#8217;s known that most Android malware is distrusted through alternative markets, but this is a whole new level. Choose your apps wisely and download from a trusted source. Check reviews, research the developer and verify permissions requested before downloading.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Websites Hosting Android Trojans \u00a0 By Armando Orozco and\u00a0 Nathan Collier Rogue Android apps are making their way into alternative markets. Yes, we&#8217;ve seen some malicious apps trickle through and they can be elusive. But we\u2019re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[9193,8631,3775,5109,9197,9199,9203,8707,9195,9205,4553,9207,9201,8015,4415,4611,3471,4201,4161,4155],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/5392"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=5392"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/5392\/revisions"}],"predecessor-version":[{"id":17092,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/5392\/revisions\/17092"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17051"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=5392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=5392"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=5392"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=5392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}