Sophos Cloud Optix
Tempted to try out the much talked about Instagram app? Well, be careful where you get it from – as malware authors are distributing malware disguised as the popular app.
It’s a rain cloud on a summer’s day for the Instagram photo-sharing smartphone app, which is otherwise having a glorious time right now.
First of all, Instagram released a first version for Android and managed to get five million downloads in less than a week.
Then the 13-employee firm managed to sell itself to Facebook for a cool $1 billion, making some of us wonder about privacy, and others think – “to heck with that, do I have a program that’s never earnt any money that I might be able to flog to Mark Zuckerberg?”.
Naturally, the Facebook acquisition news raised Instagram to even higher levels of public awareness and that’s where the bad guys stepped in.
Cybercriminals have created fake versions of the Instagram Android app, designed to earn money from unsuspecting users.
Here’s a Russian website which purports to offer the Instagram app:
If you download your app from this site, rather than an official Android marketplace such as Google Play, then you are running the risk of infecting your smartphone.
In our tests, the app didn’t do a very good job of emulating the genuine Instagram app, but that may be because it failed to find the correct network operator. Because this is a malicious app that seems to be relying in the sending of background SMS messages to earn its creators revenue.
Sophos products detect the malware as Andr/Boxer-F.
Android malware is becoming a bigger and bigger problem, of course. Just last week we reported on a bogus edition of the Angry Birds Space game that was being used in another attack.
It’s quite likely that whoever is behind this latest malware campaign is also using the names and images of other popular smartphone apps as bait.
Curiously, contained inside the .APK file is a random number of identical photos a man.
Maybe the reason why his picture is included multiple times is to change the fingerprint of the .APK in the hope that rudimentary anti-virus scanners might be fooled into not recognising the malicious package.
We have no idea who the man is or whether there is a reason why his picture has been chosen to include in the download.
Could he be the malware author? A family friend? A celebrity? Someone who the malware author has a bone to pick with?
If you have any thoughts on this perplexing aspect to the case, please let us know by leaving a comment.
Update:
Thanks to Naked Security reader @DakotaMistress (and others), who pointed us in the direction of this Moscow wedding photo – with a rather casually-dressed witness, with his hands in his pockets:
It seems the man pictured become something of an internet phenomenon after his photo was shared widely on Russian internet forums. But the reality is that it’s just a snapshot at a Moscow wedding.
We’ve all seen someone dressed a little too casually at a wedding before, so it’s probably something that we can all relate to. 🙂
The man from the image is a Russian meme. Google "свидетель из Фрязино" images.
Man on photo is hero of runet meme "A witness from Fryazino" – he was randomly photoshoped in photos to recreate 'photobomb' – when random person captured in frame completely ruins picture.
На фото русский мем Свидетель из Фрязино. Google Translate вам в помощь 😉
It's man – is Russian meme )
This man – is Russian meme
Man on photo is russian internet meme – Witness from Fryazino. Witness from Fryazino beheld everything.
On photo Witness from Fryazino (http://j.mp/JMctvF in russian).
Hey guys, i'm russian, so i could bring the light to solve the mystery of the strange man identity.
He's called Svidetel iz Fyazino, or "Bestman from Fryazino town". He's an epic mem and well known hero of russian internet culture. Since 2006 he's appeared in thousands of photoshopped pics, advice-dogs, demotivator and so on.
You can find some his pics at this original thread: http://www.yaplakal.com/forum27/topic88718.html
In russian language a word 'bestman' sounds the same as 'witness'. So, this's just a joke, putting Witness's face into the malicious app.
i think there was video mem(few years ago) with guy looks like this one. I cant say it for sure…
Hi guys. This is a picture of old russian internet meme “Svidetel iz Fryazino”, which literally means “Witness from Fryazino”
It’s just a funny joke, nothing more
[fʌk] idiots!!!
this man http://www.yaplakal.com/forum27/topic88718.html
Yes, he is a celebrity 🙂 http://www.yaplakal.com/uploads/post-2-1151391237…
Here is all about Свидетель: http://goo.gl/9XYjO
This must be the video equivalent of being Rick-rolled. Looks like they got you, Graham.
Looks kinda like Ben Rothlisberger to me
Your competitors already identified the man in February: http://www.symantec.com/connect/blogs/server-side…
why can't people go on instagram's website? HOW STUPID ARE PEOPLE?
Grahan, this is NOT an "Instagram Trojan". It's a generic downloader Trojan. It's proper name is FakeSMSDownloader.
You see, the scam goes like this. There is a set of Russian sites that claim to be repositories for Android apps. They are not technically markets – they just provide APK files for download. Most of the apps I've seen there are free, although there might be also pirated ones, I'm not sure.
When the user tries to download an app, what he actually gets is a downloader. It is just that whoever tried this happened to request the Instagram app – but no matter which app they would have requested, they would have received exactly the same downloader app. So, the thing is not Instagram-related in any way (for instance, it is not a Trojanized Instagram app) and it is wrong to call it like that.
Once the downloader is installed on the phone, it sends 3 SMS messages to premium numbers. Some versions even tell the user that they are going to do so – although they don't specify clearly what these numbers are and what the cost will be. After that they download the actual app that the user has requested. It's URL is kept in a data file inside the APK package (APK packages are just ZIP archives). In addition, each time before the server provides the downloader, random data files are added to it, in order to fool AV programs that rely on whole-file checksums. So, even if you request one and the same app several times in a row, you'll get different APK files. The code inside, however, will be one and the same.
For a while, anyway. You see, the thing uses server-side polymorphism, although that one (unlike the modification of the APK file before each download) is done manually, not automatically. Every workday, the program of the downloader app is modified by hand and the app is re-compiled. The changes are trivial – the classes are renamed every few days, some lines are swapped around, variables are added, etc. So, basically, the thing uses server-side polymorphism.
This thing (FakeSMSInstaller) has been around since November and changes almost every day – I'm up to variant .CA already and I probably haven't seen all of them. Whoever has noticed it when trying to get a copy of Instagram simply hasn't realized that it is just yet another trivial variant of this old Trojan.