{"id":6256,"date":"2012-03-06T12:34:19","date_gmt":"2012-03-06T19:34:19","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=6256"},"modified":"2018-01-30T12:21:18","modified_gmt":"2018-01-30T19:21:18","slug":"evolution-of-android-malware-the-touch-the-feel-of-being-tricked-into-sending-premium-sms-messages-the-worst-feeling-of-our-lives-part-3","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/03\/06\/evolution-of-android-malware-the-touch-the-feel-of-being-tricked-into-sending-premium-sms-messages-the-worst-feeling-of-our-lives-part-3\/","title":{"rendered":"Evolution of Android Malware \u201cThe touch, the feel of being tricked into sending premium SMS messages, the worst feeling of our lives\u201d (Part 3)"},"content":{"rendered":"

by Nathan Collier<\/strong><\/p>\n

Android.SMS.FakeInst is a Trojan that aims to do one thing — trick users into sending premium SMS messages by pretending to be an install for an app.\u00a0 Here’s how the scam works: The user sends three premium SMS messages in exchange for an app, but there is no guarantee that it will actually install anything after they already have your money.\u00a0 These malicious apps are getting harder and harder to discern as malicious as the look and feel of these apps get better through newer iterations.\u00a0 One variant of these Trojan apps, which\u00a0comes from a known malicious site, looks better with each update.\u00a0 Let’s start with one of the\u00a0first iterations of this variant.<\/p>\n

The icon looks fairly convincing:<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n

Not very compelling with only simple text asking to agree to download:<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Here’s the agreement stating it’s ok for them to steal from you… don’t think it quite works that way in our legal system:<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The first iteration isn’t too compelling at all.\u00a0 Let’s look at the next iteration.<\/p>\n

Nice looking icon they have here<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Oooo, a status bar!\u00a0 This has to be legit, right?<\/p>\n\n\n\n\n
\n

\"\"<\/a><\/p>\n<\/td>\n

\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

There’s that pesky agreement again.<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The app was more believable this time.\u00a0 Nice touch with the status bar.\u00a0 On to the last iteration we saw just last month in time for the Beta Google Chrome for Android release.<\/p>\n

Say, that icon looks familiar!<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

WOW, looking shrap SMS.FakeInst!<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Even the agreement looks more convincing with that clean looking ‘Start’ button<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Each iteration looks better.\u00a0 Nice to see the bad guys have more pride in their work as time goes by.\u00a0 The lesson here is to read the rules and agreements, and if the agreement asks for three payments in the form of premium SMS messages and states that it assumes no liability for damages including loss of profits, it’s probably not legit.\u00a0 With new variants of these SMS.FakeInst Trojans coming out every other day, and the bad guys hosting their malware on sites that are as convincing as the apps as we discussed in our November blog post, \u201cI don\u2019t think it means what you think it means\u2026<\/a>\u201d, we are working hard to keep you protected, and with Webroot SecureAnywhere Mobile<\/a> we promise our agreement won’t ask to you send premium SMS messages.<\/p>\n","protected":false},"excerpt":{"rendered":"

by Nathan Collier Android.SMS.FakeInst is a Trojan that aims to do one thing — trick users into sending premium SMS messages by pretending to be an install for an app.\u00a0 Here’s how the scam works: The user sends three premium SMS messages in exchange for an app, but there is no guarantee that it will […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[10207,8631,3775,5109,7093,10205,10209,4289,6675,8707,10199,10195,10203,10201,10197,8709,10031,10211,8067,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6256"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=6256"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6256\/revisions"}],"predecessor-version":[{"id":23672,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6256\/revisions\/23672"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=6256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=6256"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=6256"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=6256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}