FakeInst, as it’s known for short, invades smartphones by passing itself off as the installer for a legitimate application – it has spoofed the Olympic Games Results App, Skype, Flash Player, Opera and other top applications. When the user installs the new app, it then gets to work behind the scenes, without the user’s knowledge or consent, to send multiple text messages to premium-rate numbers.
The billings, paid automatically out of an unwitting victim’s account, then go directly into the pockets of criminals. Lookout Security said in a recent report that FakeInst malware has stolen more than $10 million this year already.
It’s a highly prevalent infection in Eastern Europe especially, according to researcher Fernando Ruiz of McAfee, but overall, more than 60% of Android samples processed by McAfee are FakeInstallers. Now, this threat has become more dangerous, he said, adding server-side polymorphism, obfuscation, antireversing techniques and frequent recompilation it its toolkit.
“Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure code, and techniques to try to avoid antivirus software,” said Ruiz. “It’s an ongoing struggle, but we are constantly working to keep up with their advances.”
It can be hard for a user to parse whether the application is legitimate in the first place: search engine results or social network postings direct people to a fake official site or fake market that includes legitimate-looking screenshots, descriptions, user reviews and videos. Once the download is agreed to, a service agreement in Russian or English pops up explaining that one or more SMSs will be sent; and the user is forced to click an Agree or Next button. Often these install screens look just like the legitimate versions, with the lone addition of the SMS line. When the dialogue box closes, the browser is redirected to another legitimate-looking market, Ruiz explained.
Now, malware authors are expanding the size and scope of the threat. For one, they are creating new fake websites and fake markets on a daily basis. “Some of these sites look fairly convincing and grab new victims easily because they are indexed in search engines like Yandex, which has a great position in the results ranking,” Ruiz cautions.
To avoid detection and appear more dependable, some fake sites redirect the application’s download link from malicious to clean APK files, “but after a while they restore the links,” he added.
Also, while previous versions of FakeInstaller were created only for Eastern European users, the premium-rate phone numbers for the scam have been expanded to include other country codes. In addition, the number of texts sent are increasing: “We have found FakeInstaller samples that send up to seven premium SMS messages,” Ruiz noted.
FakeInst is also morphing in its goals; increasingly, the malware is incorporating botnet techniques as well. “There are versions of Android.FakeInstaller that not only send SMS messages to premium rate numbers, but also include a backdoor to receive commands from a remote server,” Ruiz said. “FakeInstaller.S uses ‘Android Cloud to Device Messaging’ to register the infected devices in a database and send them messages (URLs) from malware authors Google accounts.”
Malware authors may be doing what they can to cast a wider net on the offense side, but when it comes to defense, FakeInst is being altered in order to escape detection and, even if found, analysis. For one, McAfee has found polymorphic servers in the wild where several variants of FakeInstallers provide different APK files for the same URL request.
“Consequently this modification produces changes in the digital signature (MANIFEST, MYKEY2.SF, and MYKEY2.RSA),” explained Ruiz, thus evading known signature detection for the malware. “In other variants this malware includes an image (of a Russian joke) to increase or change the APK file size.”
For example, Fake Opera Mini 6.5 files were download from one URL but accessed from two IP addresses (A and B). As a result, the browser gets redirected to different URLs and downloads very similar APK files that contain a few differences in the file res/raw/config.txt, which is related to the redirected URL.
Criminals are also employing Java obfuscation and recompilation to evade analysis. Normally in one fake market all the applications include the same DEX file, Ruiz said. After a while, the DEX file changes for all. Malware authors change their DEX files with newly recompiled obfuscated versions of the same code or implement new functions and include cosmetic changes, animations of fake installation progress bars, icons, texts and so on.
However, the most recent versions of FakeInstallers expand on the theme to include different recompiled obfuscated versions of the same source code, changed source filenames, line numbers, field names, method names, argument names, variable names and more.
“Obfuscators such as ProGuard or DexGuard can remove the debugging information and replace all names with meaningless character sequences, so it is much harder to reverse-engineer the code,” said Ruiz. “Some versions, such as Android.FakeInstaller.S, also include antireversing techniques to avoid dynamic analysis and prevent the malware from running in an emulator.”