It's been a while since we looked at the Android malware space (I think the last one was here), so when someone asked about it yesterday, I pulled up some log traffic to take a look.
It looks like Russia and China continue to be hotbeds for unofficial app download sites, where you're definitely taking your chances.
Here's a good example, a nice-looking site offering an Android version of Skype:
This site, by the way, lives on a shared web host with a lot of other sites — not in a "bad part of town". Unfortunately, when you click on the download button, you are relayed to a different site (that is in a shady neighborhood) and then on to yet another shady site for the actual download.
That download is currently recognized by 10 of the AV engines at Virustotal, which is about average. Interestingly, the most popular name there is "OpFake", which I believe is shorthand for "Fake Opera" — as we've blogged in the past, this is a common ruse in the world of Android malware.
That prompted a check on the malnet behind this attack, as well as another malnet we track, both specializing in Android malware, to see if the site names they are currently using to "advertise" their malware show any patterns worth commenting on…
In the past week, I count 38 domain names in one malnet, and 14 domains in the other. They included two different "Flash update" sites, four different "porno" sites, a "movies" site, a couple of "browser" sites, and several general "file" and "app" sites.
All of which are having their downloads flagged automatically as either Malware or Suspicious by WebPulse…
Another example that I thought was interesting shows how the Bad Guys have taken an old-favorite attack vector (Fake Antivirus software) and adapted it for the new world of smartphones:
In this attack ("Optimizator Telefona"), the white box built out one line at a time, pretending to be checking my phone for each item that it could "optimize", including such things as "Errors: 17" and "Updates: 24"… (Sadly, my phone didn't support the "3D Vision" feature; darn, I'll have to get a newer one… or maybe they'll have that feature ready for their next fake upgrade!)
Clicking the "Skachat (download) Optimizator" button sent a malicious Java file my way, which was immediately blocked as malware by our Cloud Security service (which I'm using since I'm on the road this week).
Leave a reply