This article was published on October 5, 2012

Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps


Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps

Like any popular platform, Android has malware. Google’s mobile operating system is relatively new, however, so the problem is still taking form. In fact, it turns out that the larger majority of threats on Android come from a single malware family: Android.FakeInstaller, also known as OpFake, which generates revenue by silently sending expensive text messages in the background.

McAfee says that the malware family makes up more than 60 percent of Android samples the company processes. So now the question is: why is this malware so popular amongst cybercriminals?

The reason is simple: it’s extremely effective. Android users seem to fall for fake apps on a regular basis. Furthermore, since the whole of the malware appears to make money, it’s not surprising that those behind this one continue to keep it updated. McAfee agrees:

Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.

This malware type has been in the news for months, mainly because there have been so many fake apps created, including for popular ones like Instagram and Skype. On top of that, those behind it seem to keep adding various types of functionality to avoid detection by antimalware solutions, including server-side polymorphism, obfuscation, antireversing techniques, and frequent recompilation.

How it works

Cybercriminals typically create fake versions of a given popular Android app to earn money from unsuspecting users. There have also been instances of the malware being bundled with a legitimate version of popular apps. The apps appear to be legitimate, including screenshots, descriptions, user reviews, videos, and so on. Users never get the app they want, but instead get a lot more than they bargained for.

The malware authors often set up fake websites advertising the fake version of the app. Many of these are shared on questionable websites, but many are also shared on fake Facebook and Twitter accounts that spam legitimate users on social networks.

Upon installation, the malware often displays a service agreement that tells the user that one or more SMS messages will be sent. The user is forced to click an Agree or Next button, but some versions send the messages before the victim even taps the button. There are often fake progress bars to keep the user further in the dark.

Either way, the devil is in the details. In the background, the malicious app sends expensive international text messages to earn its creators revenue. Some variants even connect to a Command & Control (C&C) server to send and retrieve data, as well as await further instructions.

Early versions of FakeInstaller were created only for Eastern European users, but malware developers have expanded their fraud to other countries by adding instructions to get the device’s Mobile Country Code and Mobile Network Code. Based on that information, the malware selects a corresponding premium-rate numbers.

How to protect yourself

The good news here is that since this malware family is so prevalent, it’s rather easy to avoid it: just don’t download fake apps. Android lets you download and install apps from anywhere, but unless you know what you’re doing, you shouldn’t be installing anything and everything you can on your phone or tablet.

If you want to significantly reduce your chance of getting malware such as this one, only install apps from the official Google Play store. That being said, malware has snuck into the store before, so it can happen again.

As a result, the way to protect yourself is the same as on any other platform: don’t click on questionable links and don’t download random apps. Always check to see if what you’re getting is legitimate and you should be fine.

Image credit: Iva Villi

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with