Following the fake versions of Instagram, Angry Birds Space, and Farm Frenzy apps, we recently spotted a website offering different fake Skype mobile apps for Android. But based on our analysis, these apps are actually malware that run on older Symbian versions or Android devices installed with apps that enable execution of Java MIDlet. Once installed, the malware send messages to premium numbers without users’ consent.

The website http://{BLOCKED}ndroidl.ru offers different versions of Skype app for Android. The said site is hosted on Russian domains, similar to the webpages we’ve seen hosting the fake Instagram and Angry Birds Space apps. During analysis, we attempted to download the said app, but noticed that the said app was being downloaded from another website, http://{BLOCKED}mobile.ne.

We also tried downloading the other Skype mobile app versions being offered by the site. Doing so, however, only lead us to the same .JAR file (instead of an .APK file, the expected download file for Android apps) downloaded from the same malicious site. This .JAR file (detected by Trend Micro as JAVA_SMSSEND.AB) is a Java MIDlet that poses as an installer of Skype for the Android platform. Once executed, the file displays the following interface:

Should users press the left soft key of their smartphone, it displays the following:

However, pressing the right soft key redirects the mobile device’s browser to the URL http://{BLOCKED}1.net/?u=1l4zi3m938o80vl. This malicious app functions to send SMS messages to specific numbers. As a result, affected users incur unnecessary monetary charges for these messages.

Though these fake Skype apps are marketed specifically to Android users, this malicious .JAR file executes on pre-SIS (Software Installation Script) Symbian phones or certain versions of Android that run Java MIDlet. For Android devices to run Java MIDlet, users must first install an app that enables the device to execute the said file. Typically, these type of apps are available on third-party app stores.

To have an an overview of the latest threats targeting Android devices, you may refer to our infographic Behind the Android Menace: Malicious Apps.

Trend Micro protects users from this threat via Smart Protection Network™ , which detects and deletes this malicious .JAR file. Access to related websites is also blocked via web reputation service. As an added precaution, users must refrain from downloading apps from dubious websites. Users should also make it a habit to read mobile apps ratings and reviews, to know which apps are safe to download.

To know more about how to enjoy your mobille devices safely and securely, you may refer to our comprehensive Digital Life e-guides below:

• When Android Apps Want More Than They Need
• 5 Simple Steps to Secure Your Android-Based Smartphones

With additional analysis from Christopher So.

Last month, we have seen cybercriminals use the popularity of apps like Instagram and Angry Birds Space to deliver malware on Android phones. This time, we spotted the same social engineering tactic using Adobe‘s name.

This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version:

When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats.

Upon further investigation, we have seen a bunch of URLs that are hosted on the same IP as this particular website. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme.

Trend Micro protects your Android phones from accessing these malicious sites and from downloading malicious .APK files on your phones via the Mobile Security Personal Edition app. Apart from blocking access to malicious sites, our app scans each app you install to ensure your safety.

For your reference, Adobe Flash Player from Adobe Systems can be downloaded via the Google Play store.

Recently, Facebook announced its acquisition of Instagram— a popular photo-sharing smartphone app, which also released an Android version almost a week ago. It was reported that Facebook paid approximately $1 billion (£629m) in cash and stock for the said takeover.

Cybercriminals, soon enough, started to take advantage of Instagram‘s popularity. We discovered a spoofed webpage containing a rogue version of Instagram. The said webpage mimics Instagram‘s legitimate download page. The red squares indicate clickable links that lead to the download:

For your reference, below is a screenshot of the site hosting the legitimate app:

My colleague Jonathan Beltran also uncovered a rogue version of Angry Birds Space. Similar to the fake Instagram app, the webpage hosting this rogue app is hosted on a Russian site.

Both the rogue Instagram and Angry Birds Space are detected as ANDROIDOS_SMSBOXER.A. Based on our initial analysis, the malware will ask users to permit the sending of a query using short numbers to supposedly activate the app. In reality, this malware sends a message to specific numbers. The rogue app also connects to specific sites, to possibly download other files onto the device.

For the past few days, we have been seeing several other Russian domains hosting fake webpages posing as download pages for some popular Android apps. Some of the apps used in this scheme include Fruit Ninja, Temple Run and Talking Tom Cat. Users are advised to remain cautious before downloading Android apps, specially those hosted on third-party app stores. To know more on how to prevent downloading malicious apps and other safety tips, you may read the following e-guides:

• 5 Simple Steps to Secure Your Android-Based Smartphones
• When Android Apps Want More Than They Need

Trend Micro™ Smart Protection Network™ prevents access to the malicious website so users are protected from clicking and downloading the fake Instagram and Angry Birds Space app. Furthermore, Trend Micro Mobile Security detects the .APK to protect Android smartphones from the malware’s malicious routines.

We were alerted to reports of a mass compromise of WordPress sites that lead to CRIDEX infection. To lure users to these compromised sites, the cybercriminals behind this employed spammed messages purporting to come from known legitimate sources such Better Business Bureau and LinkedIn, just to name a few. These spam use social engineering tactics to entice unsuspecting users to click the link found in the email.

Clicking this link leads to a series of compromised WordPress sites, which ultimately point users to the Blackhole Exploit kit that targets vulnerabilities cited in CVE-2010-0188 and CVE-2010-1885. This is detected by Trend Micro as JS_BLACOLE.IC.

Once users click on any of the URLs seen on Figure 3, users are redirected to sites that host the said exploit kit.

Based on our analysis, this exploit results to the installation of WORM_CRIDEX.IC on the affected system. When executed, this worm connects to a remote site http://{Random URL}.ru:8080/rwx/B2_9w3/in/ to download its configuration files.

WORM_CRIDEX.IC was also found to generate several random domains using domain generating algorithms (DGA). This is a well-known technique used by cybercriminals to evade law enforcement and to prevent botnets from being shut down. The malware also uses DGA to download its configuration file. As of this writing, the exact behavior of the sample is dependent on the configuration file. Based on static analysis, however, it is capable of executing a file, deleting a file/folder, and retrieving certificates in a certificate store. During our testing, we were unable to download the configuration file as this was no longer available.

Trend Micro protects users from this threat via its Trend Micro™ Smart Protection Network™ that blocks malicious URLs related to this attack as well as detecting the related malware. To avoid encountering these compromised sites, users should think twice before clicking those links found on dubious-looking messages. Always verify the validity of received messages, specially those that claim to be from well-known sources.

With additional text and analysis by security evangelist  Ivan Macalintal.

The Android Market was just recently renamed to Google Play and yet there are already cybercriminals taking advantage of this. We’ve spotted newly created domains that imitate the Google Play site and contain malicious apps.

The malicious URL http://{BLOCKED}ay-google.ru displays a fake Russian Google Play site. When translated to English, the text reads: “ Download Google Play for Android Google Play is formerly known as the android market but now a vast and influential old android market combined with a store of books google ebookstore multi-format films and world music google music.”

Upon trying to select the clickable images in the site, I was led to another malicious Russian domain that offers suspicious Android apps. I tried to download the Google Play application, google-play.apk, from the URL http://{BLOCKED}ay-google.ru but it just points to malicious file detected as ANDROIDOS_SMSBOXER.AB. This leads to another malicious URL, http://{BLOCKED}-api.ru. 

ANDROIDOS_SMSBOXER.AB is a premium abuser type of mobile malware. Such malware subscribes affected devices to premium services without the permission of the user, thus leading to unwanted charges.

This particular malware is very similar to ANDROIDOS_OPFAKE.SME — an Android malware that made news last month for its ability to polymorph. However, similar to ANDROIDOS_OPFAKE.SME, the server that hosts ANDROIDOS_SMSBOXER.AB simply inserts unnecessary files into the APK in order to evade detection. According to Threats Analyst Kervin Alintanahin, the said routine technically can not be considered polymorphic behavior, especially since no significant change is done to the APK’s source code. Due to this, security software can still easily detect the malicious files.

Aside from detecting the malicious .APK files, all of the related malicious URLs are already blocked through the Trend Micro Smart Protection Network. Trend Micro customers need not worry as ANDROIDOS_ SMSBOXER.AB is currently detected by Trend Micro Mobile App Reputation.

If anything, this attack shows just how quick cybercriminals can adapt to the fast-changing mobile landscape. Users are strongly advised to practice extreme caution when dealing with apps and app stores in general. For more information on mobile threats, please check our Mobile Threat Information Hub.