Home / malwarePDF  

Trojan:AndroidOS/SMSFakeSky.A


First posted on 17 July 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:AndroidOS/SMSFakeSky.A.

Explanation :



Trojan:AndroidOS/SMSFakeSky.A is is a trojan that affects mobile devices running an Android operating system. It poses as a legitimate application, but instead sends multiple premium SMS messages to certain numbers, which incurs significant costs. Some examples of applications we have observed this trojan posing as are:

  • Adobe Flash Player
  • Angry Birds Rio
  • Browser Mini 6.5
  • Dr.Web 7
  • Google Maps
  • Mozilla Firefox
  • Opera
  • Opera Mini 6.5
  • Skype


Installation

The trojan targets Russian speaking users. It poses as a legitimate application, so when you try to install the trojan, it may ask you for permissions to run; for example, it may ask you for access to SMS or MMS for reading, sending and receiving them.



Once installed, it displays the following text:

"Установка. ÐÂ’Ñ‹ согласнÑ‹ с условиями загрузки Adobe/Skype. Для пÑ€одолжения загрузки нажмиÑ‚е кнопку Далее"

which translates to:

"Installation
You agree the conditions for downloading Adobe Flash Player/Skype.
To proceed with download click Next button."





The trojan will then display a notification which urges you to update the mobile device or other applications, when in fact it installs another version of itself:

"СÑ€очное обновление Android (Flash...)"

which translates to:

"Critical update for Android (Flash ...)"



The trojan creates two shortcuts on the home screen:

  • "Поиск" (translates to "Search") - this links to another version of the trojan
  • "Hello6" - this links to a search engine






Payload

Sends messages to premium numbers

When it runs, the trojan displays a fake progress bar, so as to appear as though it is downloading an app to your mobile device. It then displays a URL to a supposed statement of agreement, but you cannot access this link.

When you click the "Agree" button, the trojan will send multiple SMS messages to premium numbers at your expense. A download link will be generated on one of the following domains:

  • agentln.net
  • gtlinc1.net
  • rans4r.net


This download link may link to the legitimate application that the trojan is posing as.



Below are some examples of the premium numbers it sends messages to, and the message it sends:

  • 6666, with the text: 684882541888619512
  • 7151, with the text:70123360151921672152
  • 7375, with the text: 68295520211518460942
  • 7375, with the text: 68139520211518452612
  • 9999, with the text: 68488520221518419912


Downloads new versions of itself

The trojan creates means to update itself by adding a notification in the System Notification bar and shortcuts on the home screen. These require you to take action for re-infection to be successful; if you click on the notification or the shortcut, a new version of the trojan with the same payload will be installed, replacing the old version.



Poses as legitimate applications

Trojan:AndroidOS/SMSFakeSky.A poses as different legitimate applications, which it retrieves from a site called "myadroidmaklet.net", which masquerades as Android Market.

This site lists more than 50 fake applications; below are some examples of the fake applications it hosts:

  • 3D Bowling
  • Adobe AIR
  • Adobe Flash Player
  • Adobe Reader
  • Advanced SD Card Manager
  • Alarm Clock Xtreme
  • Aldiko Book Reader
  • Amy Reid
  • Angry Birds Rio
  • Asphalt 6: Adrenaline HD
  • ASTRO File Manager
  • Call Recorder - Total Recall
  • Can Knockdown 2
  • Crazy Home 2
  • Doodle Jump 2
  • Dr.Web 7
  • ezPDF Reader
  • FileGo
  • Gmail
  • Google Maps
  • Google Maps 7
  • Google Translate
  • Google+
  • GPS Status & Toolbox
  • Great Little War Game
  • Green Power Premium
  • Lame Castle
  • Marine Defender
  • Mirror
  • Mozilla Firefox
  • MX Video Player
  • Need for Speed Hot Pursuit
  • Need For Speed Shift
  • Opera Mini 6.5
  • PES 2011 Pro Evolution Soccer
  • QIP
  • RecForge Free - Audio Recorder
  • Record My Call
  • Serious Sam Kamikaze Attack
  • Skype
  • SPB Shell 3D
  • Spb TV
  • SpeedView Pro
  • Startup Manager
  • Tiny Flashlight + LED
  • TuneIn Radio
  • Voice Search
  • WhatsApp Messenger
  • World of Goo
  • YouTube












Analysis by Daniel Chipiristeau

Last update 17 July 2012

 

TOP

Malware :

Family: