One of our security researchers in the AV Labs spotted an Android application posing as the popular Web browser Firefox and is hosted on several Russian websites (Note that these sites are still up and running as of this writing). The Android application files (.APK) users can download from them not only vary in file names but also in file sizes.
Expect that these files can change over time, but for now, here’s what we have gathered:
- f7sleep45feed_installer.apk – file size: 183 KB
- Firefox-install.apk – 465 KB
- Mozilla_Firefox_Android_install.apk – 388 KB
One of the Russian websites is also the same host for an OpFake Android malware variant that posed as an app of the 10th Anniversary Edition of Grand Theft Auto (GTA) III Chris wrote about in April.
The criminals are leveraging on Firefox for Android in relation to the official, non-beta release of the said Web browser on Google Play last June 26.
click to enlarge
GFI VIPRE Mobile Security detects the malicious apps as Trojan.AndroidOS.Boxer.d.
The typical Boxer malware appears to be a legitimate app that users can download. Once installed, it loads a Rules page on the phone and asks users to accept it. The app then sends a premium SMS message to any of these numbers: 2855, 3855, 7151, or 8151. The Rules page discloses (in small text) that users will be billed for sending a premium SMS message. Boxer then directs users to the actual website where the legitimate app can be downloaded after claiming that it has successfully activated.
This particular Boxer variant, however, was found to be more devious.
Users who downloaded and installed the fake app from any of the malicious Russian websites will not see the Rules page, nor will they be prompted to confirm Boxer’s installation and activation on their Android devices. Boxer will do all of this covertly without users seeing it take place. It then sends the premium SMS message, “5975+3480758+x+a”, to the aforementioned numbers. Lastly, it loads google.com instead of directing users to the actual download site. One of our researchers believed that this is probably an effort to make users believe that they have installed a dud app, thus, allowing them to download and install the fake app again, which, in turn, allows Boxer to send the premium SMS message multiple times.
Boxer is also the fake app that posed as Instagram after it launched on Google Play. I hope it isn’t just me seeing a pattern here.
Dear Reader, please make sure that you only download the apps you’d want to use for your Android device from legitimate download sites like as Google Play. Sites claiming they’re legit but not are an insufferable lot, so due caution must be exercised at all times.
Jovi Umawing (Thanks to Randall for spotting this)
Leave a reply
