{"id":74578,"date":"2012-07-23T15:59:44","date_gmt":"2012-07-23T10:29:44","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=74578"},"modified":"2012-07-23T15:59:44","modified_gmt":"2012-07-23T10:29:44","slug":"android-malware-creates-clones-of-popular-apps-and-tricks-victims","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/android-malware-creates-clones-of-popular-apps-and-tricks-victims\/","title":{"rendered":"Android malware creates clones of popular apps and tricks victims"},"content":{"rendered":"<p>Our malware analysis team has discovered a new social engineering trick used by criminals to target Android users. The attack vector guides the victim to a fake application market (or an untrustworthy third-party source). Once there, the victim downloads clones of popular apps that are cleverly disguised. Once such an application gets downloaded, it controls the read, send and receive functionality of the SMS and MMS service of the device. <\/p>\n<p>The clones that are downloaded by the victim are latest versions of genuine apps so it is quite simple for people to get fooled. In this case, the alternate market that the malware connects to is <em>vttp:\/\/myadroidmaklet.net\/<\/em>. <\/p>\n<p><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/12334567811242.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/12334567811242.jpg\" alt=\"Fake market\" title=\"Fake market\" width=\"322\" height=\"529\" class=\"aligncenter size-full wp-image-74591\" \/><\/a><\/p>\n<p>The malware then carries out the following nefarious activities:<\/p>\n<ul>\n<li>Sends texts to premium rate numbers and gains revenue for the attackers<\/li>\n<li>Intercepts verification texts from third-party sources and responds to them<\/li>\n<li>Intercepts CAPTCHA images and sends them to a remote server<\/li>\n<\/ul>\n<p><strong>Detailed analysis of the malware<\/strong> <\/p>\n<p>Once the victim is guided to the fake market he can browse freely and find around 50 popular apps that can be downloaded.  <\/p>\n<p>Once the victim has picked the app of his choice (Adobe Flash Player in this example) he is shown a page of authentic permissions. Once the app has been installed, two rather strange looking icons are added to the home screen. <\/p>\n<p><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/1231.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/1231-187x300.jpg\" alt=\"Flash Player\" title=\"Flash Player\" width=\"187\" height=\"300\" class=\"alignleft size-medium wp-image-74595\" \/><\/a><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/123341.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/123341-183x300.jpg\" alt=\"Permissions\" title=\"Permissions\" width=\"183\" height=\"300\" class=\"aligncenter size-medium wp-image-74596\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/123456112131.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/123456112131-188x300.jpg\" alt=\"Installation complete\" title=\"Installation complete\" width=\"188\" height=\"300\" class=\"alignleft size-medium wp-image-74600\" \/><\/a><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/123345678112411.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2012\/07\/123345678112411-182x300.jpg\" alt=\"Home screen\" title=\"Home screen\" width=\"182\" height=\"300\" class=\"aligncenter size-medium wp-image-74601\" \/><\/a><\/p>\n<p>After installation, the corrupted app sends the following messages to the premium numbers mentioned:<\/p>\n<ul>\n<li>Sends SMS to 9999<br \/>\nMessage text \u2013 68295857151001760382<\/li>\n<li>Sends SMS to 6666<br \/>\nMessage text \u2013 68488857151001794922<\/li>\n<li>Sends SMS to 7375<br \/>\nMessage text \u2013 68139857131001729632<\/li>\n<li>Sends SMS to 7151<br \/>\nMessage text \u2013 70123384141921689572<\/li>\n<\/ul>\n<p>The cloned apps that can be found are some of the most commonly used apps. There are about 50 such apps that have been successfully cloned by this malware and this creates a lot of confusion for potential victims. Here is a list of some of these apps: <\/p>\n<ul>\n<li>Adobe Flash Player<\/li>\n<li>Adobe Reader<\/li>\n<li>Angry Birds Rio<\/li>\n<li>Gmail<\/li>\n<li>Google+<\/li>\n<li>Google Maps<\/li>\n<li>Mozilla Firefox<\/li>\n<li>Skype<\/li>\n<li>TuneIn Radio<\/li>\n<li>Whatsapp messenger<\/li>\n<li>YouTube<\/li>\n<\/ul>\n<p><strong>Tips for safety<\/strong><\/p>\n<p>There are many more apps that have been successfully cloned and used to trick victims. In order to ensure safety we recommend the following steps: <\/p>\n<ul>\n<li>Download apps from legitimate sources only, especially Google Play.<\/li>\n<li>Deactivate the &#8216;sideloading&#8217; feature. For more details <a href=\"https:\/\/blogs.quickheal.com\/beware-hacked-websites-can-now-infect-your-android-smartphone\/\">click here<\/a>.<\/li>\n<li>Install an effective security solution like <a href=\"https:\/\/www.quickheal.com\/mobileseclt.asp\">Quick Heal Mobile Security<\/a>.<\/li>\n<li>Scan apps with the security software before you download them.<\/li>\n<\/ul>\n<p>The popularity of Android devices and their ability to install apps from third-party sources is a major risk for one and all. Innovative techniques like this will crop up from time to time, but the best security software and awareness will keep users protected. <\/p>\n<p>Thanks to Sandip for the analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our malware analysis team has discovered a new social engineering trick used by criminals to target Android users. The attack vector guides the victim to a fake application market (or an untrustworthy third-party source). Once there, the victim downloads clones of popular apps that are cleverly disguised. Once such an application gets downloaded, it controls [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70,55,24,60],"tags":[56,57,49,59,121,61,29,67],"class_list":["post-74578","post","type-post","status-publish","format-standard","hentry","category-adobe","category-android","category-malware","category-smartphone","tag-android-security","tag-droid-defense","tag-malware","tag-mobile-devices","tag-sideloading","tag-smartphone-security","tag-social-engineering","tag-third-party-apps"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/74578"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=74578"}],"version-history":[{"count":0,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/74578\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=74578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=74578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=74578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}