Even though Google
recently introduced
a malware-blocking system called Bouncer to keep the Android Market
safe from malicious software, crafty spammers and fraudsters are
still managing to find ways
around the restrictions to get their software onto users’ phones. The
latest example? A malware program disguised, innocuously, as an Android
app called “any_name.apk.” And it appears the malware is using
Facebook’s app on Android phones in order to spread.
The software was discovered by security firm
Sophos,
which came across the malware after receiving a Facebook friend
request. When checking out the user’s profile, the researcher, Vanja
Svajcer, found a link posted to the requester’s Facebook profile page
that, when clicked, directed the browser to a webpage which started an
automatic download of an unknown software application to the device.
The software installed and downloaded immediately, without any
request for authorization or input from the end user. However, although
Svajcer doesn’t mention this in his analysis, for software to
automatically install from outside the Google Android Market, the
phone’s default settings must have been changed. Typically, Android
phones are shipped with a setting switched on that prevents mobile apps
from installing from sources besides the official Android Market. Many
savvy Android users switch this setting off, though, because they enjoy
the freedom that Android provides in discovering apps from alternative
app stores and download locations – like the treasure trove that is the
XDA Developers forum, for example.
Unfortunately, malware like this is the nasty side effect. And
there’s nothing Bouncer can do about it. The link the researcher clicked
did not appear to be an APK file by nature of its URL, just a typical
website. And it was placed into the user’s About Me section on Facebook,
as if it was a link to that person’s homepage.
Of course, many folks would simply ignore a friend request from
someone they didn’t know, but curiosity often gets the better of us. (
Do I know them?
Did we meet at some point, and I forgot?) One errant click, and oops, you’re infected.
In this particular case, the malware in question appears to be a
program designed to earn money for fraudsters through premium rate phone
services, a scam popular outside the U.S. for the most part, which
involves having unsuspecting users send out text messages to premium
rate numbers (those that charge). The scammers, who are operating the
numbers, end up collecting the money from the victims’ accounts.
The app attempts to associate itself with the Opera browser, and an
encrypted configuration file contains the dialing codes for all the
supported countries where the premium rate numbers are hosted.
As a side note: a few days later, the researcher visited the same
URL, but was directed to an all-new website where another APK file was
automatically downloaded (hilariously called “allnew.apk”). This one
was functionally similar, but different on the binary level, indicating
it was a new variant of the same malware.
Maybe it’s time for Android’s Bouncer guy to get pre-installed on handsets, too?
After Facebook CEO Mark Zuckerberg 
After Facebook CEO Mark Zuckerberg 
