Tuesday, July 24, 2012

Researchers Find More Android Malware: Some Send Expensive SMS, Others Steal Data

Android KO'dI’ve said it before and I’ll say it again: If you plan on downloading apps on your Android device, make sure that you’re getting the apps from a trusted Android market like the official Google Play store or Amazon Appstore for Android.

Don’t download apps from random third-party sites, and don’t complete the installation process for apps that present two different permission screens.

Failure to heed such warnings can easily result in your beloved smartphone being infected with Trojan apps that either steal your data or rack up expensive cellphone bills by firing off SMS messages to a premium-rate number.

Android Malware Wants Your Contacts


An example of Android malware that steals data would be Android.Ackposts, which was recently discovered by Symantec researchers.

Long Battery Life Android TrojanAndroid.Ackposts tends to find its way onto the smartphone of unsuspecting Android users by posing as a battery-saving app.

Only two permissions are requested during installation (on a single screen): full internet access and the ability to read contact data, which is all it really needs since its entire purpose is to harvest email addresses for spammers and upload the data to a remote server.

The fact that the Android.Ackposts targets contact information makes a little more sense once you realize that the app is being advertised via Japanese spam messages.

New OpFake Variant is... Less Fake, Actually Installs Opera Mini Browser


As far as SMS-sending Trojans go, OpFake is maintaining relevance thanks to a new variant that comes bundled with the mobile web browser it poses as instead of merely carrying the name and nothing more.

GFI Lab researchers found this new version of OpFake (detected as Trojan.AndroidOS.Generic.A) lurking on a fake Opera Mini support website. The Trojan is delivered in a package (ironically) named “com.surprise.me,” which contains a file named “opera_mini_65.apk.”

Users are presented with two permission screens during the installation process, which should throw a huge red flag that something‘s amiss. Unfortunately, the first screen applies to the actual malware itself, so it’s critical that users actually pay attention to the permissions being requested whenever they install an app. Once you agree to the first set, you will be shown the permissions for the legitimate Opera Mini app.

Btw, I can’t think of any reason why a browser would need SMS permissions.

Permissions Screens for New OpFake Variant

 OpFake permission screens credit: GFI Labs 


After everything is said in done, the user can use the actual Opera Mini browser. However, the malware will also be using its approved permission set to send a SMS message to a premium rate number and connect to a remote server and read stored information including:

  • Country location

  • Operator name

  • OS version

  • Phone type

  • Device ID (IMEI)


Keeping Your Android Device Safe


Despite the threats roaming about, it’s relatively easy to keep your Android device malware-free.

  • Only download Android apps from official Android app stores like Google Play or the Amazon Appstore for Android.

  • Always check the number of downloads, app rating and user reviews. If an app has a poor rating or a laundry list of poor reviews, it’s likely in your best interest to take a pass on downloading it.

  • Carefully review permissions before downloading and/or installing. If you feel that the app is requesting permissions that it shouldn’t be, don’t install it.

  • Watch for multiple ‘Permissions to Install’ screens. The first screen typically applies to the malware itself, so it’s important that you scrutinize app permissions. That second screen should serve as more of a “head’s up” that you may have just fallen into a malware trap.


Have you discovered any malware on your Android device?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment