Third-party Android markets have always been the favorite means of malicious app dissemination, especially in regions like Asia, where users donâ€™t have access to the official repository.
This is also the case with the latest campaign laid out by cyber-crooks to lure users into installing well-known applications on the genuine Android Market, but which have been tampered with in order to launch additional services along with the original app.
Shortly put, the original Android application downloaded from a third-party location contains â€œthe real dealâ€ as well as a Trojanized service (usually called â€œGoogleServicesFrameworkServiceâ€), which is launched as soon as the host application is started.
Rogue service calleld GoogleServicesFrameworkService started by the compromised app
Identified by Bitdefender as Android.Trojan.FakeUpdates.A, this piece of malware connects to a C&C server and fetches a list of links to different APKs. After that, it downloads each APK from the list and then displays displays a notification in the status bar area, reading Â â€œæ‚¨å¥½,å·²ç»èŽ·å–æœ€æ–°æ›´æ–°,è¯·ç‚¹å‡»å®‰è£…â€ (In order to have access to the latest updates, click Install). This approach confuses the user, as they have no idea where the message came from.
Routine that starts the malicious serviceÂ
This Trojan requires an extensive array of privileges upon installing, in order to make sure that it can take full control over the smartphone whenever necessary. Depending on the APKs to be downloaded and installed, the application may require up to 10 privileges prior to the installation and most of the users will accept it without any second thoughts, since they believe that what is to be installed is an update to one of the applications they already have installed.
Downloading the APKs from the third-party server
Android application posted on third-party Android Markets are nothing new; however, what is particularly important is the attackersâ€™ modus operandi: they publish a totally legit application on the respective Market, let it live for a couple of days to get the positive ratings and gain usersâ€™ trust, and then change the APK with a Trojanized one in order to fulfill their malicious goals. Also, of great importance is that most of the repackaged applications we have analyzed have low detection rates, which poses a real danger even to smartphone users who run a mobile security solution.
The function that displays the fake update notifications
Android.Trojan.FakeUpdates.A poses an immediate threat to the smartphone user as it can download and install anything, from trial versions of software in pay-per-install campaigns to spyware and other Trojans.
Bitdefender Mobile Security in action
In order to protect your privacy and keep your device in the best shape, you are advised NOT to install applications that ask for more permissions that it would normally use. Also, installing a mobile security solution will help you mitigate this kind of attacks.
This article is based on the technical information provided courtesy of Vlad Ilie, Bitdefender Virus Researcher .
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.