Third-party Android markets have always been the favorite means of malicious app dissemination, especially in regions like Asia, where users don’t have access to the official repository.

This is also the case with the latest campaign laid out by cyber-crooks to lure users into installing well-known applications on the genuine Android Market, but which have been tampered with in order to launch additional services along with the original app.

Shortly put, the original Android application downloaded from a third-party location contains “the real deal” as well as a Trojanized service (usually called “GoogleServicesFrameworkService”), which is launched as soon as the host application is started.

Identified by Bitdefender as Android.Trojan.FakeUpdates.A, this piece of malware connects to a C&C server and fetches a list of links to different APKs. After that, it downloads each APK from the list and then displays a notification in the status bar area, reading "In order to have access to the latest updates, click Install)." This approach confuses the user, as they have no idea where the message came from.

This Trojan requires an extensive array of privileges upon installing, in order to make sure that it can take full control over the smartphone whenever necessary. Depending on the APKs to be downloaded and installed, the application may require up to 10 privileges prior to the installation and most of the users will accept it without any second thoughts, since they believe that what is to be installed is an update to one of the applications they already have installed.

Android application posted on third-party Android Markets are nothing new; however, what is particularly important is the attackers’ modus operandi: they publish a totally legit application on the respective Market, let it live for a couple of days to get the positive ratings and gain users’ trust, and then change the APK with a Trojanized one in order to fulfill their malicious goals. Also, of great importance is that most of the repackaged applications we have analyzed have low detection rates, which poses a real danger even to smartphone users who run a mobile security solution.

Android.Trojan.FakeUpdates.A poses an immediate threat to the smartphone user as it can download and install anything, from trial versions of software in pay-per-install campaigns to spyware and other Trojans.

In order to protect your privacy and keep your device in the best shape, you are advised NOT to install applications that ask for more permissions that it would normally use. Also, installing a mobile security solution will help you mitigate this kind of attack.


Author: Alexandru Catalin Cosoi, Global Research Director at Bitdefender.