Sophos Cloud Optix![Android malware spread via Facebook [VIDEO]](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2012/02/android-logo250.png?w=250&h=250&crop=1){kind=logo}
If you’re using Facebook on your Android smartphone, you should be just as careful clicking on links as you would (hopefully) be on a desktop computer.
A few days ago I received a Facebook friend request and, as is usual, used my Android smartphone to check out the details of the person before I decided whether I wanted to become “friends” or not.
As the following video demonstrates, a link on the user’s Facebook profile redirected my browser to a webpage that downloaded malware automatically onto my Android phone.
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
The malware package was called any_name.apk, and appears to have been designed to earn money for fraudsters through premium rate phone services.
Alarm bells definitely rang when I noticed the app was using a class name which attempted to associate it with the legitimate Opera browser app:
com.opera.install
An encrypted configuration file inside the package includes the dialling codes for all supported countries (for instance, the UK is in there) and the premium rate number and text of the SMS message which it intends to send.
Although the app makes a pretence of informing you what it plans to do when you first run the program, it is being pushy in the extreme by installing itself without your permission.
What’s even more suspicious is that when I revisted the url on my Android smartphone a few days later, I was redirected to another website which downloaded a different app (allnew.apk) which had the same functionality as the earlier sample, but was non-identical on a binary level.
Clearly someone is busy creating new variants of this malware.
Sophos products detect the malicious app as Andr/Opfake-C.
Take care everyone.
Update: In answer to some readers’ questions, it’s important to note that the malware does not install itself automatically onto the Android smartphone. Instead, what we saw was the malicious APK file downloaded onto the device. There does, of course, remain the risk that a user might be tricked into manually installing the app – perhaps through social engineering.
As always, be very careful what you install onto your Android phone, and check the permissions that it asks for. You may also like to consider installing some free anti-virus onto your Android device.
What?
It installed? It only downloaded is what the video shows?
Problem is – it downloaded without permission
So did it just download, or did it actually install?
Answer please!
Yes, you are right, it did not install automatically. I did not click on the actual malicious APK file and installed in on my private phone and that is why it is not visible in the video. But for ordinary users it could be a serious attack. In my experience, they rarely check the permissions when they install an app. So, this does not exploit some Android vulnerability, or Google’s indeed, but it is an interesting combination of a web based attack that caters for Android devices.
If someone can't figure out that they didn't click a link meaning to download something, is their problem and not Android's.
Is this only a problem if using the built-in browser, or would using Opera Mobile also leave you exposed?
any browser is vulnerable to threats, just that some browsers are safer and offer warnings for stuff like this. I could go on for hours why some browsers are better than others, but at the end of the everyone is different and its down to the users prefference.
You indicate that Sophos products detect this, but this is on an Android and your mobile products only support Windows platforms. Thoughts???
Not true. They have mobile apps for Android. Check the store.
So this APK downloaded, but were you presented with the Android OS screen where it lists the permissions the app is requesting and you can either choose "Install" or "Cancel"? If THAT screen was overrode somehow, then I would be seriously amazed. The video stops when the download finished, I am curious as to what the user is prevented with afterwards.
Nice. This is yet another instance of FakeInstall application. The user who posted this link must have created this SMS-Trojan using ZipWap service or other similar services.
Hye, I guess you turned off the "Only install from trusted sources" option in your phone.
And *THEN* downloaded and installed a software package from some, joe blow website.
Nice. Hey, Can I get your Visa number, PIN and CVV number for it.
Also, how about your SSN and mother's maiden name.
Thanks.
Sure, and the fact is that many people would give you those details. Just think about some fake anti-virus software which is very common on Windows. Let us not forget that large majority of users (even Android users) are not very technically competent.
This would make this attack no different than Phishing, though. It isn't easy to fault a system for the user not having a clue.
Actually, I never blame Google for this. It would be exactly the same as blaming Microsoft for the fact that there are millions on malicious programs targeting Windows.
I am sure some people would disagree with this 🙂
It won't install unless you open the downloaded file AND have enabled "install apps from unknown sources" under Settings >> Applications AND you click install on the installation screen.
Hye, I guess you turned off the "Only install from trusted sources" option in your phone.
Indeed, the above video just shows that the app was downloaded automatically. Which should be fairly simple for someone to do (I.e. detect if the browser agent is Android and instantly redirect to an apk file). This is very different than saying that the app installed automatically. The app would have to somehow suppress both the trusted sources and the app permission warnings, and I highly doubt that this is something an apk file could do (it’s just a zip file after all, not a Windows executable), even if the browser was tricked to automatically start the app installation process.
Ok so I decided to install it on a Nexus One to see what sort of malware this was. I also tested the efficiency of four different antiviruses: AVG Pro, Avast Mobile, NetQin and Lookout.
I went to that webpage and after a couple of redirects it downloaded a file called RSS.apk from a website called moby-agent.ru. It requests permission to send / receive SMS and connect to Internet as seen on this picture: http://twitpic.com/8oppkp. After launching the application, I got a weird message in Russian (http://twitpic.com/8orlpe), which according to Google it means something like: "confirm acceptance of the rules download Rss. To continue booting click the button below." It also displayed two buttons, "правила" that would bring up what it seems a Terms and Conditions page in Russian and the other one "далее" that means Accept and would open up a .ru website.
By doing a further research, I discovered that this is just another version of the multi-platform worm that pretends to be Opera Mini and that sends premium-rated SMS to international numbers. Sophos calls it Andr/Boxer-C.
None of all four antiviruses could stop the installation or even detect the APK as malicious before it being installed. And even after installing it, only AVG and Avast could detect the threat (http://twitpic.com/8orwai); NetQin and Lookout dissappointingly failed to do so, even though this threat has been going around for months.
How can I know if a APK is installed AND how can I uninstall it?
AFAIK, all APK files, once installed are registered with OS and you should be able to see them when you choose to manage your applications in your settings. However, the actual names displayed are not the names of the package (APK) files.
If you want to see APK file names of all free apps installed on the system you should be able to use a file manager app like Astro file manager and see which files are installed, usually under /data/app for user apps or /system/app – for apps pre-installed on the device.
Question: Who just watched the video without reading the article and commented anyway? Oh, most of you? Oh, okay then. 😉
Very naive to click on a link that's so obvious suspicious. Equally naive to add FB friends willy-nilly.
What kind of stupid browser allows a file to download without asking the user at all?
To me this browser is broken and needs to be updated.
Or does the site exploit a security flaw in the browser to download it?
Either way, how do we upgrade the default Android browser to fix?
"What kind of stupid browser allows a file to download without asking the user at all?"
Pretty much any browser does. It would get very frustrating if your browser asked for confirmation every time you clicked a URL.