In the first quarter of 2012, we’ve continued to see a growing trend in premium SMS mobile malware targeted at European markets. Many of these families of malware clearly contain shared ancestry in their construction and are promoted in a way that is similar to affiliate marketing promotion of legitimate apps. These families include RuPaidMarket, DepositMobi, OpFake and other associated fraudulent installer applications.
In a continuation of this trend, Lookout has discovered in the past week two significant new variations on this theme. One appears to be an entirely new construction, and one appears to be a significant evolution (variant) of the fake installer apps. While their code bases clearly differ, they are related by distribution and by significant overlap in targeted short codes.
If you are currently a Lookout user, you are already protected and do not need to take any additional action.
How it works
FakeWAM is an evolution of the OpFake / RuPaidMarket premium SMS toll fraud family. Similar to previously identified instances, FakeWAM claims to install “WhatsApp Messenger,” but does not. This new variant is significant, however, in that it uses reflection, a method by which a program can observe and modify its own structure and behavior at runtime, to interact with operating system services (notably those for sending the SMS). This generates a substantially different “fingerprint” for the application from those used to detect its siblings.
AlphaSMS is a minor, but related family. The application poses as an app downloader/installer but instead charges premium SMS. It then redirects the user to a website that contains additional potentially malicious applications to download. AlphaSMS’ construction is unsophisticated, but effective.
Both AlphaSMS and FakeWAM launch websites in an effort to get a user to install more potentially malicious apps on their device. Based on our sampling, these sources are split roughly 50/50 between legitimate applications and other associated toll fraud malware.
- FakeWAM: Jk7H.PwcD
- AlphaSMS: dfjg6.Gtr6H
Who is affected?
Neither of these families were discovered in mainstream application markets, so the risk to users is relatively low.
How to stay safe
- Only download apps from trusted sources, such as reputable app stores and download sites. Read through the permissions, and remember to look at the developer name, reviews and star ratings.
- Be alert for unusual behaviors on your phone, which could indicate that your phone is infected. These behaviors may include unusual text messages, strange charges to your phone bill, and suddenly decreased battery life.
- Download a mobile security app for your phone that scans every app you download. For extra protection, make sure your security app can also warn you when navigating to unsafe websites.