We have continued monitoring the massive campaign involving SMS Fraud on the mobile platform for a while now as new activities are constantly taking place. New domains are created practically every day and new variants are being released consistently. Most activities are not really noteworthy. However, we did discuss a recent development of interest regarding the APK malware using server-side polymorphism. And earlier this week, we came across a new type of site that is not technically interesting, but is worthy of a mention in order to warn people about the new activity.
A little while back, a fake Android Market was developed that hosted various Apps that were ultimately malware. As you can see below, the page looks slightly different from the official Android Market.
Scammers have since released a revised version that is more in tune with the current Android Market. In fact, if you were not looking at the URL, the average person would probably not be able to tell the difference between the two.
Let’s take a look at one of the pages of an individual application. It looks like a copy and paste from the legitimate page.
But this page is not real and the same goes for the apps that are downloaded from it. Below are three downloads of the identical applications just minutes apart. Notice that the file sizes are drastically different. This is because the site is using server-side polymorphism to change the content of the package to evade detection by security software. It is also interesting to note that the files not only differ from each other, but that the sizes of all three are much bigger than the old variants used to be. The older variants may have been in the range of around 50KB – 100KB, but as you can see the size of the files is now in the range of around 1MB. Making the size bigger may be an attempt to look more authentic. Functionality-wise, they are identical to the old variants, so what is making these files so much bigger?
The culprits are the files contained in the “res\raw” folder. As you can see, there is countless number of 24 KB files that are all identical and are bloating the package. Note that 24 KB is the size of the file after the file has been unpackaged. The number of files in “res\raw” for the three packages is 3,544, 3,748, and 2,664. If you multiply the number of files by the file size and calculate in the decompression rate, you would get the above file size for the three files. Therefore it is simply the number of files contained in the “res\raw” folder that is making these packages unique from each other.
Interestingly, these files only contain meaningless text as can be seen below.
Like any typical malicious Android application used for SMS fraud, this one also requests the capability to send SMS messages. Note that the actual name of the application is “Installer” rather than the name of the application on the download page. This is a trait that is common for this type of malware. If you see “Installer”, or the Russian translation of the word, and if the application requests the ability to send SMS, then there is a high probability that it is not the legitimate application that you thought you acquired.
Even though these applications are targeting users with the ability to read Russian, there is a slight chance that they are (or will eventually get) mixed into various markets, file-sharing services, or be used as email attachments. So always be wary when installing applications on smartphones. We always recommend that people download applications from sources they trust and be cautious about what permissions you are giving the applications. Symantec’s Norton Mobile Security detects the variant discussed in the blog as Android.Opfake.