Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Android Attackers Launch Fake App Market

Malicious apps include a fake version of Skype that surreptitiously sends text messages to premium-rate numbers, racking up charges to the user and revenue for the cybercriminals.

Having a difficult time distributing your malicious smartphone apps? Then why not just create an entire fake app store to peddle your wares?

In fact, that appears to be the strategy employed by the creator of "myadroidmaklet.net," a third-party app market that purports to offer more than 50 apps for free download, including Adobe Flash Player, Angry Birds Rio, Google Maps, Mozilla Firefox, Need for Speed Hot Pursuit, Opera, Skype, and World of Goo. But in fact, all of these apps are really a Trojan app--malware--in disguise.

Microsoft has dubbed the underlying Trojan Android app as SMSFakeSky, and noted that it's designed to target Russian-speaking users. "It poses as a legitimate application, so when you try to install the Trojan, it may ask you for permissions to run," according to Microsoft's malware analysis. Notably, the app will request permission to read a user's sent and received SMS and MMS messages, to see the user's location, have full Internet access capabilities, modify and delete the contents of removable storage, and to gather all information related to phone calls. The app also typically requests permission to download further required software, such as Adobe Flash Player, although even this installation will be just another version of the Trojan app in disguise.

[ Even legit mobile apps can carry risks. See Free Android Apps Have Privacy Cost. ]

Android permission requests are meant to give Android users pause, prompting them to ask: "Is the app that wants full Internet access legitimate, or really malware?" But if attackers can trick a user via a social-engineering attack into downloading a "Skype" app that they think is real, then it's likely that they'll grant the malicious app whatever permissions it requests. In addition, the number of different permissions requested is no giveaway, given the "excessive permissions" requested by many legitimate Android apps.

Once the disguised SMSFakeSky receives those permissions, it executes. "When it runs, the Trojan displays a fake progress bar, so as to appear as though it is downloading an app to your mobile device," according to Microsoft. "It then displays a URL to a supposed statement of agreement, but you cannot access this link. When you click the 'Agree' button, the Trojan will send multiple SMS messages to premium numbers at your expense."

The malware's use of prompts helps hide what it's really doing. "The deception behind the UI [user interface] controls is difficult for users to detect. It is likely that the malicious activity would cause mobile charges before the victim notices it, and this creates a large incentive for cybercriminals to continue perpetrating this fraud," said a blog post from Methusela Cebrian Ferrer at the Microsoft Malware Protection Center.

SMSFakeSky is far from the first piece of malware designed to make Russian phones send messages to premium-rate SMS numbers, thus draining funds from the accounts tied to infected smartphones, and delivering the money to attackers. The prevalence of such malware reflects a lack of legislation holding telecommunications providers accountable for attacks that make use of premium numbers. Indeed, Russia and many other Eastern European countries allow anyone to anonymously rent a premium-rate number, and the labyrinthian relationship between telecommunications companies and resellers who can lease such numbers makes tracing even providers of such numbers difficult.

Beyond setting up fake storefronts such as myadroidmaklet.net, another up-and-coming Android scam, according to Microsoft, is the use of paid archives that contain malware. "These are less aggressive by nature as they don't infect the system. Instead, they use a more cunning way to trick users into giving them money without using scare tactics--by getting them to pay for software that's otherwise free, or for pirated copies of paid software," according to Microsoft researchers Sergey Chernyshev and Daniel Chipiristeanu. They plan to detail their research into paid archives, including the use of automated fake-archive generation tools, as well as a breakdown of "how the money is earned and distributed by the bad guys," in September 2012 at the VB2012 conference in Dallas.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...