From last week premium rate SMS Trojans surfaced in the Android Market. Google has pulled 22 apps that are masquerading as legitimate versions of popular games like Angry Birds and Cut the Rope. Security researchers have discovered a way to bypass an Android smartphone owner's permissions and access private data stored on their smartphone.
Avast Blog explain this as - For example, if someone tried to look for "Cut the rope free", this malicious application was in the fourth place in the search results. Apps published by the developer Miriada Production may look like well known Android games (Angry birds, Need for speed, World of Goo and others) and users could be easily confused.
The fake apps include "Cut the Rope", "Need for Speed", "Assassins Creed", "Where's My Water? ","Riptide GP", "Great Little War Game", "World of Goo", "Angry Birds", "Shoot The Birds", "Talking Tom Cat 2", "Bag It!" and "Talking Larry the Bird". The apps have been pulled from the Android Market.
The fraudulent apps would install a premium rate SMS Trojan that would rack up hidden charges on the user's phone bill. The apps would lure customers into clicking on options that would send text messages to premium line numbers leaving the user to foot the bill. According to Lookout Mobile Security, the new threat called RuFraud has been found in an initial batch of apps on the Android Market that include horoscope apps, wallpapers, and game apps that pretend to be legitimate games like Angry Birds.
What will happens if these threats are installed in your mobile devices?
It will attempts to send text messages containing the string "798657" to premium-rate numbers using the infected device's current default SMS Center (SMSC) by exploiting the Permissions function (android.permission.SEND_SMS), Capable of sending an affected user's GPS location via HTTP POST, Opens several ports and connects to specific URLs to receive and execute commands from a remote user, Gathers information like International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers from infected systems, which is then sent to a specific site and Secretly forwards all incoming text messages to a remote user.
What will happens if these threats are installed in your mobile devices?
It will attempts to send text messages containing the string "798657" to premium-rate numbers using the infected device's current default SMS Center (SMSC) by exploiting the Permissions function (android.permission.SEND_SMS), Capable of sending an affected user's GPS location via HTTP POST, Opens several ports and connects to specific URLs to receive and execute commands from a remote user, Gathers information like International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers from infected systems, which is then sent to a specific site and Secretly forwards all incoming text messages to a remote user.
How do users get these threats?
Trend Micro has reported several incidents wherein malware came disguised as Android apps. Samples of Android malware found in the wild include:
- ANDROIDOS_DROIDSMS.A: Came disguised as Windows Media Player.
- ANDROIDOS_DROISNAKE.A: Came in the form of a game known as Tap Snake.
- ANDROIDOS_GEINIMI.A: Came in the form of Trojanized apps hosted in certain third-party app stores in China.
- ANDROIDOS_ADRD.A: Comes in the form of a Trojanized wallpaper app.
- ANDROIDOS_LOTOOR.A: Trend Micro's detection for Trojanized versions of legitimate apps like "Falling Down".
- ANDROIDOS_BGSERV.A: Trojanized version of Android Market Security Tool, which was released to address the modifications done by AndroidOS_LOTOOR.A.
Trend Micro Suggest "Users can also check the developer's profile for other apps. Google also offers developer ratings, as well as the status 'Editor's Choice' that can further validate the developer's legitimacy. It is also a good practice to check app ratings and user feedback for more verification. The user rating and feedback feature give people a more accurate view of the experiences users have when using or installing the app. You can find it just below the app icon.,".