Recently, Facebook announced its acquisition of Instagram— a popular photo-sharing smartphone app, which also released an Android version almost a week ago. It was reported that Facebook paid approximately $1 billion (£629m) in cash and stock for the said takeover.
Cybercriminals, soon enough, started to take advantage of Instagram‘s popularity. We discovered a spoofed webpage containing a rogue version of Instagram. The said webpage mimics Instagram‘s legitimate download page. The red squares indicate clickable links that lead to the download:
For your reference, below is a screenshot of the site hosting the legitimate app:
My colleague Jonathan Beltran also uncovered a rogue version of Angry Birds Space. Similar to the fake Instagram app, the webpage hosting this rogue app is hosted on a Russian site.
Both the rogue Instagram and Angry Birds Space are detected as ANDROIDOS_SMSBOXER.A. Based on our initial analysis, the malware will ask users to permit the sending of a query using short numbers to supposedly activate the app. In reality, this malware sends a message to specific numbers. The rogue app also connects to specific sites, to possibly download other files onto the device.
For the past few days, we have been seeing several other Russian domains hosting fake webpages posing as download pages for some popular Android apps. Some of the apps used in this scheme include Fruit Ninja, Temple Run and Talking Tom Cat. Users are advised to remain cautious before downloading Android apps, specially those hosted on third-party app stores. To know more on how to prevent downloading malicious apps and other safety tips, you may read the following e-guides:
Trend Micro™ Smart Protection Network™ prevents access to the malicious website so users are protected from clicking and downloading the fake Instagram and Angry Birds Space app. Furthermore, Trend Micro Mobile Security detects the .APK to protect Android smartphones from the malware’s malicious routines.