Avid readers of this blog can attest that we have been documenting a number of noteworthy and malicious binaries affecting smartphones, and those running on Android, specifically, are taking most of the brunt from these threats. One malware we have featured is called OpFake, a family of Trojans posing as a free app, which are often times under the guise of Opera Mini. Once OpFake is installed on a smartphone, it sends SMS messages to premium-rate numbers without the owners knowing. In other words, it scams them into shelling out money.
(BTW, our friends at Symantec published an in-depth paper on this family that you might want to check out.)
Just like the recent Boxer binary we found, this new OpFake variant has also evolved, exhibiting characteristics that are unlike its older siblings. Case in point: No longer is it simply mimicking Opera Mini; it has already bundled the said browser with itself.
Above is the screenshot of a fake Opera Mini support website where users can download a package named “com.surprise.me” (file name: “opera_mini_65.apk”), this new Opfake variant, which GFI VIPRE Mobile Security detects as Trojan.AndroidOS.Generic.A. Do keep in mind that the package and/or file names may change over time.
During installation, two sets of “Permission to Install” pages are displayed to smartphone users: (1) The first set (shown below) comes from the malware itself. As you can see, it asks for read and modify rights to all SMS and MMS messages, read rights to all contacts stored on the smartphone, and modify or delete rights to the SD card, among other things.
(2) Once users agree to install, this malware then redirects them to the second set, which is a legitimate Opera Mini page:
After installation, users can now readily use the said browser:
More than likely, users will not be aware that something might have infiltrated their phones until the bill arrives.
Here is a list of the tasks this malware does on compromised smartphones:
- It sends one (1) SMS message to a premium-rate number before it installs the legitimate Opera Mini. A command and control (C&C) server controls the message sent and the number where it is sent.
- It also connects to the C&C server to retrieve data
- It reads the following stored information:
- Country location
- Operator name
- OS version
- Phone type
- Device ID (IMEI)
Although the criminals behind the OpFake malware have been known to target only Android users, a variant of it targeting Symbian and iPhone users were already found in the wild.
Smartphone users are advised to visit only legitimate sites when looking for Web browsers to download. And if this post made you wonder where you can get a legit and clean copy of Opera Mini, it’s in here.
Other related posts:
Jovi Umawing (Thanks to Randall for spotting this)
Leave a reply