April 11, 2012

The Continuing Saga of Fake App Toll Fraud

The Threat

In the first quarter of 2012, we’ve continued to see a growing trend in premium SMS mobile malware targeted at European markets. Many of these families of malware clearly contain shared ancestry in their construction and are promoted in a way that is similar to affiliate marketing promotion of legitimate apps. These families include RuPaidMarket, DepositMobi, OpFake and other associated fraudulent installer applications.

In a continuation of this trend, Lookout has discovered in the past week two significant new variations on this theme. One appears to be an entirely new construction, and one appears to be a significant evolution (variant) of the fake installer apps. While their code bases clearly differ, they are related by distribution and by significant overlap in targeted short codes.

If you are currently a Lookout user, you are already protected and do not need to take any additional action.

How it works

FakeWAM is an evolution of the OpFake / RuPaidMarket premium SMS toll fraud family. Similar to previously identified instances, FakeWAM claims to install “WhatsApp Messenger,” but does not. This new variant is significant, however, in that it uses reflection, a method by which a program can observe and modify its own structure and behavior at runtime, to interact with operating system services (notably those for sending the SMS). This generates a substantially different “fingerprint” for the application from those used to detect its siblings.

AlphaSMS is a minor, but related family. The application poses as an app downloader/installer but instead charges premium SMS. It then redirects the user to a website that contains additional potentially malicious applications to download. AlphaSMS’ construction is unsophisticated, but effective.

Both AlphaSMS and FakeWAM launch websites in an effort to get a user to install more potentially malicious apps on their device. Based on our sampling, these sources are split roughly 50/50 between legitimate applications and other associated toll fraud malware.

Package Names:

  • FakeWAM: Jk7H.PwcD
  • AlphaSMS: dfjg6.Gtr6H

Who is affected?

Neither of these families were discovered in mainstream application markets, so the risk to users is relatively low.

How to stay safe

  • Only download apps from trusted sources, such as reputable app stores and download sites. Read through the permissions, and remember to look at the developer name, reviews and star ratings.
  • Be alert for unusual behaviors on your phone, which could indicate that your phone is infected. These behaviors may include unusual text messages, strange charges to your phone bill, and suddenly decreased battery life.
  • Download a mobile security app for your phone that scans every app you download. For extra protection, make sure your security app can also warn you when navigating to unsafe websites.
  1. Vess says:

    These two are really the same thing – OpFake; just different variants of it. And, folks, when are you going to realize that these things (just like FakeSMSInstaller) use server-side polymorphism? Only FakeSMSInstaller is modified every workday, while OpFake is modified every few days.

    Just from the package names it is not possible to determine which particular variants you have in mind, but here are a few that have classes with such names:

    C4440F99 Jk7H.PwcD.SLYfoMdG
    EFA2DC7A Jk7H.PwcD.SLYfoMdG$1

    C5C6F844 dfjg6.Gtr6H.a
    1AC35670 dfjg6.Gtr6H.b
    5CFF0097 dfjg6.Gtr6H.B66gGh
    D585D24A dfjg6.Gtr6H.c
    CC615EC4 dfjg6.Gtr6H.d
    A2472643 dfjg6.Gtr6H.e

    1D5F8CD7 dfjg6.Gtr6H.B66gGh
    1D436B9C dfjg6.Gtr6H.BetweentheBalticandtheNorth
    32001601 dfjg6.Gtr6H.InoldentimesaflockofswansflewovertheAlpstothe
    CE6574BD dfjg6.Gtr6H.greenplainsaroundMilanwhereiwasdelightfultodwell
    9F139233 dfjg6.Gtr6H.Seathereliesanoldswansnestwherein
    4CBDD4F0 dfjg6.Gtr6H.swansarebornandhavebeenbornthatshallneverdie

    F3409ADE dfjg6.Gtr6H.B66gGh
    B37219A7 dfjg6.Gtr6H.HeavendeliverusfromthewildNorthmen
    4368458D dfjg6.Gtr6H.OnthecoastofFrancetheresoundedacryoffearforthebloodstained
    0217C85B dfjg6.Gtr6H.closebytheEmperorthroneandspreadtheirwingsover
    39F55DC0 dfjg6.Gtr6H.himasshieldstoprotecthimTheyreceivedthenameofVarangians
    44CDB145 dfjg6.Gtr6H.southwardtoByzantiumtheswansestablishedthemselvesthere
    A1C6CA3A dfjg6.Gtr6H.swansthatcamefromtheNorthwithfireundertheirwingsandthepeopleprayed
    5E213383 yhj.hffd.BetaReceiver
    6B5DF0CF yhj.hffd.BetaService
    EC8BFD9D yhj.hffd.BetaWebA
    874088B8 yhj.hffd.BootReceiver
    3BA5A7C6 yhj.hffd.HeavendeliverusfromthewildNorthmen
    B363B0AE yhj.hffd.HtmlActivity
    48469516 yhj.hffd.OnthecoastofFrancetheresoundedacryoffearforthebloodstained
    E58E0652 yhj.hffd.OnthefreshswardofEnglandstoodtheDanishswan
    266EA104 yhj.hffd.andhestretchedouthisgoldensceptreoverthelandTheheathens
    2D18694E yhj.hffd.bytheopenseashorewiththecrownofhreekingdomsonhishead
    B27AE830 yhj.hffd.closebytheEmperorthroneandspreadtheirwingsover
    3A9F4156 yhj.hffd.himasshieldstoprotecthimTheyreceivedthenameofVarangians
    A7913247 yhj.hffd.nthePomeriancoastbentthekneeandtheDanishswanscamewiththebanneroftheCrossandwiththedrawnsword
    8660E889 yhj.hffd.southwardtoByzantiumtheswansestablishedthemselvesthere
    F1ABCA16 yhj.hffd.swansthatcamefromtheNorthwithfireundertheirwingsandthepeopleprayed
    9E5E1DD1 yhj.southwardtoByzantiumtheswansestablishedthemselvesthere.closebytheEmperorthroneandspreadtheirwingsover
    B9228633 yhj.southwardtoByzantiumtheswansestablishedthemselvesthere.southwardtoByzantiumtheswansestablishedthemselvesthere

    2FA66CA7 dfjg6.Gtr6H.B66gGh
    A1A8D735 dfjg6.Gtr6H.One
    C87D35F2 dfjg6.Gtr6H.glide
    1334D9CA dfjg6.Gtr6H.his
    5B57AA8F dfjg6.Gtr6H.let
    CBE35512 dfjg6.Gtr6H.pinions
    3060758F yhj.One.One
    0CA2CA3D yhj.One.let
    D467025B yhj.hffd.BetaReceiver
    CC707196 yhj.hffd.BetaService
    6B3BDB89 yhj.hffd.BetaWebA
    CFD12269 yhj.hffd.BootReceiver
    B9820155 yhj.hffd.HtmlActivity
    2189D879 yhj.hffd.One
    FBE31EDD yhj.hffd.glide
    2C23BFD1 yhj.hffd.golden
    4A8D03E5 yhj.hffd.his
    B377A337 yhj.hffd.let
    BB7BFEA7 yhj.hffd.of
    D09EF0C4 yhj.hffd.over
    DE826751 yhj.hffd.pinions
    BDD52319 yhj.hffd.strings
    42DA12C5 yhj.hffd.the

    My guess is that you are talking about the .A and .C variants.

    P.S. Exact identification, exact identification, exact identification! Do you see now why it is necessary? 🙂 And how my dexid tool can be useful? 😉

  2. Terrylynn says:

    I really like lookout. I have it downloaded in my husbands phone. He knows I do only for the purpose that if I don’t hear from him I can locate him. He is on the road for days and it helps to know that he is okay. I use it more for that if I don’t hear from him and if anything did happen at least I would know where to start looking for me. The only thing is that I don’t like is that in some areas where there is no cell service I can’t locate him and I worry at times. But this would be great for Mothers to know where their kids are. thanks that this part is free.I am thinking about all of it and pay for it because it really is worth it.

  3. Steve says:

    Trojan.AndroidOS.Opfake.f was found by virus total in something called ‘VIPRE’ How does one get rid of it. It seems not so dangerous from what I can read about it.

Leave a comment