For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites. We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software.
The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family.
Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files.
In one case, when we compare the file CRCs of two downloads, we can see that the only meaningful change happens in “res/raw/data.db”. The other changed files in META-INF contain signature data for the package so that they are just reflecting the fact that the res/raw/data.db has been modified.
| File CRC | Filename | |
| Installer.APK | SKACHAT.APK | |
| 9dc48f61 | 074c54b5 | META-INF/MANIFEST.MF |
| b1377893 | 42ecb534 | META-INF/ALARM.SF |
| 248c37f7 | 65105b65 | META-INF/ALARM.RSA |
| 40659b25 | 40659b25 | AndroidManifest.xml |
| bbd88c2d | bbd88c2d | resources.arsc |
| 7a3498c4 | 7a3498c4 | classes.dex |
| 6129f361 | 9e488e9e | res/raw/data.db |
| 27bc873d | 27bc873d | res/drawable-hdpi/logo.png |
| 27bc873d | 27bc873d | res/drawable-ldpi/logo.png |
| 27bc873d | 27bc873d | res/drawable-mdpi/logo.png |
| fa11bed8 | fa11bed8 | res/drawable-hdpi/icon.png |
| fa11bed8 | fa11bed8 | res/drawable-ldpi/icon.png |
| fa11bed8 | fa11bed8 | res/drawable-mdpi/icon.png |
This means that they share exactly the same code (stored in classes.dex), but that the data is variable. Examining the code, we see that res/raw/data.db contains a database of network operators with a list of premium numbers and messages that are to be sent if the user is tricked into running this malware. The content of those SMS messages is changed with every download, thereby producing unique files.
In another case of OpFake, the polymorphism was achieved using a different technique. We noticed that there were APKs where all of the code and data files were identical and just the manifest and signature files were different:
| CRC | Filename |
| 311fa59a | META-INF/MANIFEST.MF |
| 86f1655e | META-INF/CERT.SF |
| ed814261 | META-INF/CERT.RSA |
| 02568138 | AndroidManifest.xml |
| 5539013f | classes.dex |
| c9805df6 | res/drawable-hdpi/icon.png |
| c9805df6 | res/drawable-mdpi/icon.png |
| c9805df6 | res/drawable-ldpi/icon.png |
| 1d66a094 | res/layout/offert.xml |
| b93210cd | res/layout/grant_access_to_content.xml |
| 169b2a86 | res/layout/main.xml |
| 30fe74be | res/raw/activation_schemes.cfg |
| aca144d2 | res/drawable/progress_finished.xml |
| 3367b765 | res/xml/countries.xml |
| f3087726 | resources.arsc |
| 88a24ad9 | 0.temp |
| 88a24ad9 | 1.temp |
| 88a24ad9 | 2.temp |
| 88a24ad9 | … |
Here the polymorphism is achieved by simply re-ordering the code and data files within the application package. When the package is created, the differences in file ordering will cause different manifest and signature files to be created.
Finally, the packages also included dummy .temp files. We have seen upwards of forty of these dummy files in a single package. However, the number of dummy .temp files may change with each download providing even more permutations each time the application is downloaded. Interestingly, the .temp files do not seem to be used by the threat in any way and they all contain this mysterious picture:
Once the packages are downloaded and installed on the phone, SMS messages are automatically sent and the browser opens certain websites that are hosting further malware and/or the actual legitimate Android applications. Below are some examples of the fraudulent sites that are participating in the distribution of the malware:
While all of the distribution sites that have thus far been discovered are in Russian, the packages have the ability to send SMS messages not just in Russia, but also in other countries across Europe as well as countries like Australia and Taiwan. The following countries are affected by this threat:
| Armenia Australia Austria Azerbaijan Belarus Belgium Bulgaria Czech Republic Denmark Estonia |
France Georgia Germany Ireland Israel Kazakhstan Kyrgyzstan Latvia Lithuania Netherlands |
Norway Poland Portugal Russia Spain Sweden Taiwan United Kingdom Ukraine |
Though server-side polymorphism is used here, Symantec’s Norton Mobile Security protects customers against the automatically generated variants. We also block access to the websites hosting the Android package with Web Protection. We always advise people to download applications from sources they trust and also to be cautious about what permissions you are giving the applications. For example, Android.Opfake will always request the capability to send SMS messages as can be seen below.
Update February 2, 2012:
The "unidentified" individual in the mysterious picture has been identified as Свидетель из Фрязино. Thanks to Sean Sullivan of F-Secure for the information. The man is known for being digitally manipulated into various photographs.
