Monday, February 18, 2013

0day Two Part Android OpFake Variant.

     The other day I ran into a fake Android store through a poisoned Yandex search engine link. The fake Android market at hxxp://[dot]ru/ is pushing never before seen downloader apps for a newer variation of OpFake.

     A downloaded APK of the popular Android game, Mass Effect: Infiltrator, and installed it.  The icon (displayed to the left)  was good and it even only asked for minimal permissions. However, directly after the install it loads an app that was downloaded in the background. This one however has a much more sinister motive. OpFake sends premium SMS and installs a backdoor on your Android device. Some more info about this version of Opfake can be found in a past blog posting here.

     The Virus Total results below for the downloader app show that not a singe Anti-Virus company pick this one up and the OpFake sample itself has a very minimal detection rate. This means that even with the best of Anti-Virus software you can still pick up a Trojan from these alternate markets.  It's best to stick to Google Play and not to download supposed free versions of games.

Virus Total results on the downloader
Virus Total results on the OpFake Sample
Captured samples

Stay safe out there

Check out Valid Mass Effect Apps and Programs on Amazon.