Monday, February 18, 2013

0day Two Part Android OpFake Variant.

     The other day I ran into a fake Android store through a poisoned Yandex search engine link. The fake Android market at hxxp://[dot]ru/ is pushing never before seen downloader apps for a newer variation of OpFake.

     A downloaded APK of the popular Android game, Mass Effect: Infiltrator, and installed it.  The icon (displayed to the left)  was good and it even only asked for minimal permissions. However, directly after the install it loads an app that was downloaded in the background. This one however has a much more sinister motive. OpFake sends premium SMS and installs a backdoor on your Android device. Some more info about this version of Opfake can be found in a past blog posting here.

     The Virus Total results below for the downloader app show that not a singe Anti-Virus company pick this one up and the OpFake sample itself has a very minimal detection rate. This means that even with the best of Anti-Virus software you can still pick up a Trojan from these alternate markets.  It's best to stick to Google Play and not to download supposed free versions of games.

Virus Total results on the downloader
Virus Total results on the OpFake Sample
Captured samples

Stay safe out there

Thursday, February 7, 2013

GTA: Vice City Free Download Scam

   Another new Grand Theft Auto: Vice City app on the Google Play Store was removed last week after complaints. For the scammers and spammers Grand Theft Auto has always been a big target to push malware. Just recently a fake version of GTA 3 was pushing Adware for a quick buck. This one however, while is not as mischievous, still doesn't produce the goods it promises and will send you on a wild goose chase.

    While no longer on the Google Play Store, you can still download this sample from alternate Android markets, including 1mobile.  The description, icon, and screenshots are all valid, directly copied from the version that cost money on Google Play.  However, just from this market view you already get red flags.  There are over 19 thousand downloads but only 53 likes.  A valid free version of GTA would receive a lot more likes and shares then that.  Also the file size is way to small for a full game.  The biggest red flag is the company that posted it, Open Concept Inc,  is not a valid publisher of any GTA games.

    After downloading and running it, the chase to see if I can actually get a valid version of the game begins, and then ends pretty quickly. On the very first screen all you see is a note on how to unlock the full version of the game. The app sends you through a link: hxxp:// Which then redirects you to either: hxxp:// or any one of "bigbrandrewards" other pages.  These are all just survey scams.  You can enter all the information you want and you will never get the full version of GTA for free.  The one it referred me to promises a 50 inch HDTV.

     Of course as with all survey scams the requirements to get these will cost much more then the value of anything received. This is not the first time and wont be the last that survey scams have been caught plagiarizing games on the Android markets. You can download some more samples of Android apps redirecting to survey scams here.
Direct link to the sample (Warning: This is an uncensored direct link and could harm your Android device):
Monday, February 4, 2013

Talking Tom Talks You Into SMS Fraud

The Russian market is now over-run with fake Android Apps. You can search the Russian search engine Yandex for just about any Android app you can think of and put the term "apk ru" (without the quotes) at the end of the app name and you are bound to get bad search results. They will scam you with every ploy in the book to get you to download and install. Promise you free versions of paid software, better versions of free software, security updates, software updates or even offer extra benefits with download.

This example a site claims to host a Russian language version of Talking Tom Cat.
The site can be found at:
The download at:  
You may need to download on a mobile device or in Malzilla with a Android user agent. Check here for a how-to.

Instead of a talking Russian cat, you get the same old SMS scam that has been re-hashed for over a year now. The Virus Total results confirm that this is just garbage and the screenshot to the right shows that you aren't getting a talking cat. It's worth a note that this is the same fake opera scam that first started it all.

Stay safe out there