Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Kervin Alintanahin (Threats Analyst)

    We’re seeing more and more scams on the Android Market. Last week, we wrote about a developer that uses popular app names to trick users into downloading fake ones. Before that, we saw a fake Temple Run app making the rounds on the Android Market. This time, we saw 37 more apps that share a similar behavior as the previously reported ones. These are “fan apps,” which means that these aren’t the real game created by the original developer.

    I noticed something odd just by looking at the fan apps’ web page. The developer’s website leads to dead links such as site and a misspelled Google domain (it was spelled

    Another thing I noticed was that all the listed apps have the same screenshot. Once installed, the app forces the user to share it on Facebook (if installed) and give it a rating on the Android Market. It also aggressively displays ads as notifications and creates shortcuts on the infected device’s home screen.

    The bigger problem, however, lies in the fact that the apps send sensitive information to particular remote servers. The information that gets sent out includes its OS version, International Mobile Equipment Identity (IMEI), and phone number, to name a few. Once any of these apps are run, the aforementioned information are immediately sent to the servers.

    There is an option to stop the advertisements. However, users are likely to miss and ignore it since it’s hidden in the app’s description page on the site.

    Never Shun the Opt-out Option

    We took the initiative and reported these apps to Google a few days ago. They responded positively and took them off the Android Market.

    However, the apps being taken off the Android Market does not eliminate this threat entirely. Cybercriminals can still choose to upload them to other sites such as third-party app stores, forums, and others. Nonetheless, regardless of where cybercriminals upload them, Trend Micro will still detect them as ANDROIDOS_FAKEAPP.SM.

    Quite obviously, this trend of apps being equipped with aggressive advertising methods — especially those related to search monetization — will be seen for quite a while. Thus, users are advised to be extra careful when installing apps. To read more about this, users may refer to our previous blog entry Search Monetization as a New Threat to the Mobile Platform.

    Trend Micro already protects against this threat. However, user education is still valuable in protecting your mobile devices from such attacks. Users may read more about mobile threats and tips on how to protect their mobile devices thru our Mobile Threat Information Hub.


    Shortly after we reported about a fake Temple Run app in the Android Market, we were alerted to yet another developer that uses popular apps as guises to trick users into downloading rogue apps.

    Here, you can see the developer’s name which appears to be quite similar to the one who developed the popular game, Angry Birds. You’ll notice, though, that the said popular game is not on the list of this particular developer’s offered apps.

    Looking closely, the developer is not really Rovio Mobile Ltd, the Angry Birds developer. The “L” in the word “Mobile” is actually an “I”, so if we spell the developer’s name in all small letters, the name would be “rovio mobiie ltd”.

    It is quite tricky and easy to miss. Users would really have to check the developer’s name closely on the “More from developer” tab to see the real name.

    Read the rest of this entry »


    In our daily monitoring of the mobile threat landscape, we found a copy of the game Temple Run in the Android Market. Temple Run is a popular game app currently available for iOS only. I checked the app and immediately noticed something odd about it. I decided to analyze it to check if my doubts had any basis.

    This copy of Temple Run (or so it claims) is seen as available on the Android Market. But if you’ll check the information on the game developer, you’ll see that it is not the same developer as the one in indicated in the iOS version, which is Imangi Studios.

    Once the application is installed and run, it creates shortcuts on an infected smartphone’s homepage.

    If the Android-based device has Facebook installed, it asks the user to share the fake app on Facebook before playing the game. It would also prompt the user to rate the application in the Android Market.

    Read the rest of this entry »


    2011 was a banner year for the Android operating system – as well as for Android malware. The increasing number of Android users made it profitable for attackers to go after them in full force, as we’ve been saying all year long.

    Where are the threats coming from?

    Many of these threats arrive via third-party app stores, particularly in China (where access to the Android Market can be irregular at times). While the app stores are not necessarily malicious, they simply do not have the resources to adequately curate submissions. As a result, malicious, repackaged, and pirated applications are frequently found in these independent app stores.

    What kinds of threats are we seeing?

    What kinds of threats did we see in the mobile arena? Some of them have been seen previously for older OSes, such as premium service abusers that sign users up for paid services they didn’t subscribe to. In fact, these premium service abusers were the biggest threat in 2011, with these malicious apps reaching not just third-party stores, but the Android Market as well (as in the case of RuFraud, DroidDream and DroidDreamLight).

    This threat type is popular because it offers cybercriminals a direct path to profit. However, we are also seeing more sophisticated threats emerge. Some of these kinds of threats have long been seen in the desktop platform. As mobile threats grow in sophistication, it should not be a surprise that tactics are being recycled, as it were.

    Information theft has long been a problem on desktops, but now it is affecting mobile platforms as well. The well-documented DroidDreamLight family is a good case in point: earlier versions restricted themselves to stealing information related to the device; newer variants now steal such personal information such as text messages and call logs. For an attacker more interested in stealing corporate secrets rather than money, such information could be priceless.

    However, if attackers are interested in stealing financial information, that threat also grew in 2011. While the first cases of ZITMO – mobile malware that works with ZeuS to defeat two-factor authentication systems on mobile phones – were seen in 2010, in 2011 we encountered ZITMO Android variants . This highlights how cybercriminals are now attempting to defeat even two-factor authentication schemes.

    Read the rest of this entry »


    The Android Market was once again infiltrated by malware, as a handful of premium service abusers (which we detect as ANDROIDOS_RUFRAUD.A) posed as legitimate apps were uploaded to the site. A few users were able to install the malicious apps before Google took them down– a fast reaction due to the quick responses from vigilant users and security firms.

    Although the malicious apps are now off the Android Market, we must all be consistently on guard for malicious apps that may be able to find their way there in the future. Especially with Android offering their 10-cent sale to celebrate their 10 billion downloads, users are more likely to install offered apps to take advantage of the apps’ low cost.

    To help users keep their Android device malware-free as they load them with more cool apps, in this post we will point out some key items to keep in mind before installing apps:

    Be familiar with the developer/s behind popular apps

    Cybercriminals regularly leverage certain apps’ popularity and attempt to do so by imitating the popular apps. But since they can not pose as the original developers, the developer’s name can be a good indicator for legitimacy. For example, the real Android Market page for the game Angry Birds shows that it was developed by Rovio Mobile, while the malicious one was developed by a user named Logastrod:

    Click for larger view Click for larger view

    Users can also check the developer’s profile for other apps. Google also offers developer ratings, as well as the status “Editor’s Choice” that can further validate the developer’s legitimacy.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice