For 2012 our AVG Mobilation™ team will put together weekly reports on the latest threats to Android mobile devices. The reports are written by one of our in house experts called Elad Shapira, a short bio on him will be up in the near future.

This week, the AVG Mobilation research team found a new variant of ‘FakeInstaller‘ malware that is not in the wild yet named ‘SMSFraudInstaller’.

‘SMSFraudInstaller’ is a Trojan horse for Android devices that sends SMS messages to premium service numbers.

The spread of this malware is mainly in Russia websites and forum and mainly targets Russian users.

Technical details about the new variant

Below you can see the manifest file of the variant:

In the permissions list you can see the SEND_SMS permission used to send the SMS to the premium service.

When the Trojan is installed, it will have the Opera icon:

And upon opened it will display the following message on the device:

If the user chooses to press ‘Next’ (right button) on the screen above, then it will send an SMS to service premium number.

The service premium number that the SMS is sent to will be depending on the country where the SIM card is registered (more on the SMS fees later).

Below we can see the code that is responsible for sending the SMS:

Most of the users will press ‘Install’ at this point without knowing that the application will charge them as they are not aware it is being displayed in the ‘Rules’ button.

The users that press ‘Conditions’ button will see a very hard to read screen with a lot of text that mention in it the payment of sending up to 3 SMS messages:

If there’s no SIM within the device the application will display the following screen:

In the past we published detailed information about the way those Russian SMS installers work.

Information about ‘Android SMS Fake installer’ can be found in the following link:

http://www.droidsecurity.com/securitycenter/secuirtypost_20111110.html#tabs-2

The story behind the massive FakeInstaller malware instances

We have seen recently a burst of application that used to send SMS from the targeted devices to a premium numbers.

The common to all those application is that they have the same origin – the malware author’s website.

As you can see from the picture above there are devices flying in the air throwing golden coins from the devices to a heap of golden coins.

The money that was taken from those devices belong to the users and taken from their targeted devices.

The malware author offers developers to add his malicious payload to their app and earn money out of it.

The malware author will split money between the application author and him leaving the application developer most of the money.

The malware author’s website contain forum where the malware authors offer help services and give detailed explanations how to use it.

Initially the malware author spread malware for Symbian based phones but as there are more and more users own an Android based phones, they are moving to target Android based devices.

Analysis of the malware author’s java code file given to the developers who want to join

Below you can see code snips taken from the jar file the malware author offers the developers to use – in this case SMS sending mechanism:

And also:

Technical details about the spread mechanism of the malware – different devices

When the user browse to the page of the malicious application, the server hosting the app on the other side determines which operating system the user have – Symbian, Android etc and then offer the user to download relevant file type of the malware – each file for each operating system detected.

Below you can see the ‘default’ behavior when identifying it’s a Symbian OS:

Below you can see the behavior when identifying it’s an Android OS:

Technical details about the spread mechanism of the malware – different countries

We could see that the malware instances can check which country the device is operational and then send SMSs to premium service number that is local to that device.

For example you can find below a text taken from user agreement (link marked with red square) in Russian website that give details what is the cost of each SMS in each country that malware is operational in:

That is the reason you always need to read and verify what you are downloading.

How to remove

AVG Mobilation Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html

How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.

In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.