Android.FakeInstaller is a widespread mobile malware family. It has spoofed the Olympic Games Results App, Skype, Flash Player, Opera and many other top applications. This is not news in the mobile malware world, the FakeInstaller family is one of the most prevalent malware that we have analyzed. More than 60 percent of Android samples processed by McAfee are FakeInstallers. This threat has become more dangerous, adding server-side polymorphism, obfuscation, antireversing techniques and frequent recompilation, all to avoid detection by antivirus solutions.
Android.FakeInstaller sends SMS messages to premium rate numbers, without the user’s consent, passing itself off as the installer for a legitimate application. There is a large number of variants for this malware, and it is distributed on hundreds of websites and fake markets. The spread of this malware increases every day.
The deception starts when users search for a popular application and access a fake official site or fake market via search engines or social networks. Applications appear to be legitimate, including screenshots, descriptions, user reviews, videos, etc. Victims fall into the trap of downloading and installing the malware. When Android.FakeInstaller is executed, it displays a service agreement that tells the user that one or more SMS’s will be sent; this agreement has been found in Russian or English.
The interface can be confusing. The user is forced to click an Agree or Next button, which sends the premium SMS messages. We have also seen versions that send the messages before the victim clicks a button.
After the button is pressed, FakeInstaller sometimes displays a fake download-progress bar. Finally, the dialog closes or redirects the browser to another fake market. Users will probably never get the application they want.
In the wild we find several variants of FakeInstallers that have the main payload in common but have different code implementations. Some of them also have an extra payload. Generally each family is associated with a set of servers, domains, and fake applications markets.
This relationship is very strong because most FakeInstallers are server-side polymorphics, which means the server (according to its configuration) could provide different APK files for the same URL request.
When a victim requests an application from a fake market, the server redirects the browser to another server that process the request and sends a customized APK which has an associated ID in the generated URL. The APK file is associated with the victim’s IP address.
For example: Fake “Opera Mini 6.5” APK files were download from one URL (http://[censored]loads.ru/tds?r=3967) but accessed from two IP addresses (A and B). As a result, the browser gets redirected to different URLs and downloads very similar APK files that contain a few differences in the file res/raw/config.txt, which is related to the redirected URL.
The following image shows differences inside the file res/raw/config.txt, which is in samples downloaded from IP addresses A and B.
Consequently this modification produces changes in the digital signature (MANIFEST, MYKEY2.SF, and MYKEY2.RSA). In other variants this malware include an image (of a Russian joke) to increase or change the APK file size.
SMS Premium Rate Numbers
Previous versions of FakeInstaller were created only for Eastern European users, but malware developers have expanded their fraud to other countries–adding instructions to get the Mobile Country Code and Mobile Network Code of the device. Based on that information, Android/FakeInstaller selects the premium-rate numbers and the text for SMS messages.
The first versions of SMS message numbers were inside the DEX file, but in recent versions they come inside an encrypted XML file inside the APK, which depends on the server. We have found FakeInstaller samples that send up to seven premium SMS messages.
Avoiding Analysis: Java Obfuscation and Recompilation
Normally in one fake market all the applications include the same DEX file. After a while, the DEX file changes for all. Malware authors change their DEX files with newly recompiled obfuscated versions of the same code or implement new functions and include cosmetic changes, animations of fake installation progress bars, icons, texts, etc.
The most recent versions of FakeInstallers include different recompiled obfuscated versions of the same source code, changed source filenames, line numbers, field names, method names, argument names, variable names, etc.
In the following image we see two obfuscated versions of the same variant distributed in the same fake market on two days:
Obfuscators such as ProGuard or DexGuard can remove the debugging information and replace all names with meaningless character sequences, so it is much harder to reverse-engineer the code. Some versions, such as Android.FakeInstaller.S, also include antireversing techniques to avoid dynamic analysis and prevent the malware from running in an emulator.
There are versions of Android.FakeInstaller that not only send SMS messages to premium rate numbers, but also include a backdoor to receive commands from a remote server. FakeInstaller.S uses “Android Cloud to Device Messaging” to register the infected devices in a database and send them messages (URLs) from malware authors Google accounts.
Beside the server-side polymorphics we have to consider the daily creation of new fake websites and fake markets. These sites redirect the victim’s downloads to a set of IP addresses and domains, as the following screenshots show:
Some of these sites look fairly convincing and grab new victims easily because they are indexed in search engines like Yandex, which has a great position in the results ranking.
To avoid detections and appear more dependable, some fake sites redirect the application’s download link from malicious to clean APK files, but after a while they restore the links.
We have also seen that fake-sites URLs are shared via Twitter by bot accounts and fake Facebook profiles:
Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.