The Latest in IT Security

Trojan:Android/OpFake.D still encodes its config file


We’ve been seeing cases of malware that first debuted on other operating systems being ported over to Android. Here’s another trojan that fits the bill.

Opfake was first found on Symbian and Windows Mobile. In its latest incarnation on Android, the trojan (still) appears to be an Opera Mini app…whose only permission request is to send SMS messages:

android_opfake_permission (43k image)

Turns out the app (we detect it as Trojan:Android/OpFake.D) sends the messages on launch:

android_opfake_sent_sms (13k image)

In previous cases, we usually saw these SMS messages hard-coded into the classes; this time, the message contents and telephone numbers are stored in a ‘config.xml’ file and are encoded. Here’s the garbled code:

android_opfake_garbled_code (47k image)

The string becomes readable when decoded using base64 decoding, showing the SMS messages sent by the app on execution:

android_opfake_decoded_code (5k image)

This Android version (SHA1: 4b4af6d0dfb797f66edd9a8c532dc59e66777072) simply continues the opFake ‘tradition’ of encoding its configuration files, so by itself, that’s not new. It does however fit into a current trend of Android malware increasingly using encoding, encryption and other techniques (which have been standard for years on other platform) to hide its code or actions from analysis.

ThreatSolutions post by – Irene

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments