Websites Hosting Android Trojans  

By Armando Orozco and  Nathan Collier

Rogue Android apps are making their way into alternative markets. Yes, we’ve seen some malicious apps trickle through and they can be elusive. But we’re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request the user to send a bounty if they want the app. The interesting thing is that the websites they’re hosted on are very well put together and you can see that a great deal of time was put into creating them.

 The Websites

Click for Full Size

These well-crafted websites follow a similar layout; they have device reviews, app descriptions with screenshots, QR Codes and FAQs. So far, we’ve only found these websites aimed at Russian users, with the web pages written in Russian. The descriptions are similar to those in the Android Market and the screenshots appear to be taken from the market.  We are discovering that this network of SMS Trojans is fairly large.

Fake Installer Description

Legit Installer Description

Click to see full size images

The Threat

We’re calling these Trojans Android.SMS.FakeInst. We’ve found multiple variants but they all have the same objective. The Trojan informs the user that if they want to download the app, they must first agree to sending three premium rate text messages. In most cases the user will get the app they wanted but for a fee. Rates vary depending on country and carrier, but typically the three messages will go to different numbers with each charging a different fee.The screenshots below show examples of the screen when you first run the app and the rules you must agree to.

Using the premium numbers shown in the screenshots, the fees would be:

  • # 7151 range of   33.87-40.00 rub        US $1.10-1.30
  • # 9151 range of 101.60-140.42 rub      US $3.30-4.56
  • # 2855 range of 170.00-203.20 rub    US $5.52-6.60

Total cost

  • 137.17-383.62 rubles                  US $9.92-12.46

As you can see, that’s a pretty steep fee for an app you can get for free from the Google Marketplace. Even if it’s a paid app, the price is steeper than most and there’s no guarantee it will work correctly.

The permissions these apps typically request are READ_PHONE_STATE, SEND_SMS, RECEIVE_SMS and INTERNET; however, we have seen a few more sophisticated apps that request the same permission as the app they are impersonating.

It’s known that most Android malware is distrusted through alternative markets, but this is a whole new level. Choose your apps wisely and download from a trusted source. Check reviews, research the developer and verify permissions requested before downloading.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This