In a clear warning to mobile users in developed markets, Russian cybercriminals have started distributing a wave of premium rate malware from rogue marketplaces, including one example disguised as an Android Flash Player.
Reported by Trend Micro, the first attack is a straightforward piece of social engineering, attempting to trick mobile browser users into downloading a bogus Flash app.
Falling for the ruse causes the download of a malicious .APK (Android package) file which installs Androids_Boxer.A which sends premium rate SMS messages varying according to the geographical location of the infected smartphone.
A second attack of a similar ilk detected by Avast reels in mobile users looking for screen savers and free games, giving them a variant of the Android:FakeInst malware that also sets the victim up for premium SMS fraud.
Both malware attacks are currently being posted on Russian-language websites which lowers the chances of anyone outside that region encountering them but the intention is clear. Whether using shady app sites beyond the relative safety of the Android Marketplace or via websites, the malware peddlers are developing more sophisticated ways to attack mobile users.
When the threat moves beyond Russia in earnest, the social engineering design of using bogus apps to spread malware is likely to be the attack method – Angry Birds and Instagram have already been ‘adopted’ in recent weeks to carry out this type of attack.
Typically, the domains used to host the malware were temporary, a tactic borrowed from the desktop malware world.
“Analysing the trail the malware creators left for us, we’ve discovered a few sites they [the malware writers] have used in order to attract users and all of them target Russian speaking people and look like an alternative markets. In reality, these sites exist for a short period of time and offers only fake downloaders,” said Avast’s blog.
“And this scam costs you money. If somebody clicks on the OK or Agree button, they have probably already been defrauded by the creators,” said Avast’s blog.
The slow convergence of desktop malware techniques with mobile (read Android) threats continues, including the first example of a website drive-by Android attack detected last week.