Fake Instagram app infects Android devices with malware

Filed Under: Android, Featured, Google, Malware, Mobile

InstagramTempted to try out the much talked about Instagram app? Well, be careful where you get it from - as malware authors are distributing malware disguised as the popular app.

It's a rain cloud on a summer's day for the Instagram photo-sharing smartphone app, which is otherwise having a glorious time right now.

First of all, Instagram released a first version for Android and managed to get five million downloads in less than a week.

Then the 13-employee firm managed to sell itself to Facebook for a cool $1 billion, making some of us wonder about privacy, and others think - "to heck with that, do I have a program that's never earnt any money that I might be able to flog to Mark Zuckerberg?".

Naturally, the Facebook acquisition news raised Instagram to even higher levels of public awareness and that's where the bad guys stepped in.

Cybercriminals have created fake versions of the Instagram Android app, designed to earn money from unsuspecting users.

Here's a Russian website which purports to offer the Instagram app:

Fake Instagram website

If you download your app from this site, rather than an official Android marketplace such as Google Play, then you are running the risk of infecting your smartphone.

Permissions requested by fake Instagram app

In our tests, the app didn't do a very good job of emulating the genuine Instagram app, but that may be because it failed to find the correct network operator. Because this is a malicious app that seems to be relying in the sending of background SMS messages to earn its creators revenue.

Sophos products detect the malware as Andr/Boxer-F.

Android malware is becoming a bigger and bigger problem, of course. Just last week we reported on a bogus edition of the Angry Birds Space game that was being used in another attack.

It's quite likely that whoever is behind this latest malware campaign is also using the names and images of other popular smartphone apps as bait.

Photo inside malicious appCuriously, contained inside the .APK file is a random number of identical photos a man.

Maybe the reason why his picture is included multiple times is to change the fingerprint of the .APK in the hope that rudimentary anti-virus scanners might be fooled into not recognising the malicious package.

We have no idea who the man is or whether there is a reason why his picture has been chosen to include in the download.

Could he be the malware author? A family friend? A celebrity? Someone who the malware author has a bone to pick with?

If you have any thoughts on this perplexing aspect to the case, please let us know by leaving a comment.

Thanks to Naked Security reader @DakotaMistress (and others), who pointed us in the direction of this Moscow wedding photo - with a rather casually-dressed witness, with his hands in his pockets:

Picture of Moscow wedding

It seems the man pictured become something of an internet phenomenon after his photo was shared widely on Russian internet forums. But the reality is that it's just a snapshot at a Moscow wedding.

We've all seen someone dressed a little too casually at a wedding before, so it's probably something that we can all relate to. :)

, , , , ,

You might like

18 Responses to Fake Instagram app infects Android devices with malware

  1. The man from the image is a Russian meme. Google "свидетель из Фрязино" images.

  2. Тот Самый Кот · 1267 days ago

    Man on photo is hero of runet meme "A witness from Fryazino" - he was randomly photoshoped in photos to recreate 'photobomb' - when random person captured in frame completely ruins picture.

  3. На фото русский мем Свидетель из Фрязино. Google Translate вам в помощь ;)

  4. dAverk · 1267 days ago

    It's man - is Russian meme )

  5. mazafakanigga · 1267 days ago

    This man - is Russian meme

  6. Man on photo is russian internet meme - Witness from Fryazino. Witness from Fryazino beheld everything.

  7. Anon · 1267 days ago

    On photo Witness from Fryazino (http://j.mp/JMctvF in russian).

  8. Hey guys, i'm russian, so i could bring the light to solve the mystery of the strange man identity.

    He's called Svidetel iz Fyazino, or "Bestman from Fryazino town". He's an epic mem and well known hero of russian internet culture. Since 2006 he's appeared in thousands of photoshopped pics, advice-dogs, demotivator and so on.

    You can find some his pics at this original thread: http://www.yaplakal.com/forum27/topic88718.html

    In russian language a word 'bestman' sounds the same as 'witness'. So, this's just a joke, putting Witness's face into the malicious app.

  9. Simp · 1267 days ago

    i think there was video mem(few years ago) with guy looks like this one. I cant say it for sure...

  10. Denis · 1267 days ago

    Hi guys. This is a picture of old russian internet meme "Svidetel iz Fryazino", which literally means "Witness from Fryazino"
    It's just a funny joke, nothing more

  11. webnote · 1267 days ago

    Here is all about Свидетель: http://goo.gl/9XYjO

  12. Laurence Marks · 1267 days ago

    This must be the video equivalent of being Rick-rolled. Looks like they got you, Graham.

  13. mvpanthersfan11 · 1267 days ago

    Looks kinda like Ben Rothlisberger to me

  14. nfl · 1267 days ago

    Your competitors already identified the man in February: http://www.symantec.com/connect/blogs/server-side...

  15. why can't people go on instagram's website? HOW STUPID ARE PEOPLE?

  16. Vesselin Bontchev · 1266 days ago

    Grahan, this is NOT an "Instagram Trojan". It's a generic downloader Trojan. It's proper name is FakeSMSDownloader.

    You see, the scam goes like this. There is a set of Russian sites that claim to be repositories for Android apps. They are not technically markets - they just provide APK files for download. Most of the apps I've seen there are free, although there might be also pirated ones, I'm not sure.

    When the user tries to download an app, what he actually gets is a downloader. It is just that whoever tried this happened to request the Instagram app - but no matter which app they would have requested, they would have received exactly the same downloader app. So, the thing is not Instagram-related in any way (for instance, it is not a Trojanized Instagram app) and it is wrong to call it like that.

    Once the downloader is installed on the phone, it sends 3 SMS messages to premium numbers. Some versions even tell the user that they are going to do so - although they don't specify clearly what these numbers are and what the cost will be. After that they download the actual app that the user has requested. It's URL is kept in a data file inside the APK package (APK packages are just ZIP archives). In addition, each time before the server provides the downloader, random data files are added to it, in order to fool AV programs that rely on whole-file checksums. So, even if you request one and the same app several times in a row, you'll get different APK files. The code inside, however, will be one and the same.

    For a while, anyway. You see, the thing uses server-side polymorphism, although that one (unlike the modification of the APK file before each download) is done manually, not automatically. Every workday, the program of the downloader app is modified by hand and the app is re-compiled. The changes are trivial - the classes are renamed every few days, some lines are swapped around, variables are added, etc. So, basically, the thing uses server-side polymorphism.

    This thing (FakeSMSInstaller) has been around since November and changes almost every day - I'm up to variant .CA already and I probably haven't seen all of them. Whoever has noticed it when trying to get a copy of Instagram simply hasn't realized that it is just yet another trivial variant of this old Trojan.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley