Symantec researcher Peter Coogan blogged about a new fraudulent application – Android.Steek – on the official Android Market spoofing a handful of popular games published under the name "Stevens Creek Software".
During installation of the fraudulent app, only one permission request is made for full Internet access. Once installed on the device, the app opens and brings the user to a splash screen related to the installed fake app, which asks the user to finish the installation process by clicking on a button. If the user clicks on the button, the Internet browser is opened and the user is redirected several times until arriving at a website advertising an online income solution, Coogan wrote.
In addition, controversy was sparked last month when Android developer Trever Eckhart posted a YouTube video showing how Carrier IQ software logs text messages, web searches, and other activities without the user’s knowledge or permission.
Tapping into that controversy, malware developers are circulating a fake Carrier IQ removal toolkit – Android.Qicsomos – targeted at smartphone users in France and employing a covert premium rate number texting scam.
“On installation, the app appears in the device menu with an icon similar to the logo of a major European telecom operator. It is this fact, not to mention we cannot find any trace of this on the Android Market, that leads us to believe that there may be a social engineering vector being used to spread the malware, such as a spam or phishing campaign pretending to be from an official carrier asking the users to download and run the software”, Irfan Asrar with Symantec wrote in a blog.
“The malicious code goes to work when the user presses the button marked ‘Désinstaller’ from within the app. Once pressed, four SMS messages are sent to 81168 – a premium-rate number. The trojan follows up by executing an uninstall routine to remove the app”, he added.
The malware authors have also found a way around Android’s app permission model under certain circumstances: the threat is signed with a certificate that was published as part of the Android Open Source Project. This allows the app to be installed on certain devices without having to go through the regular permissions notification screen, a primary defense mechanism against malicious apps, Asrar explained.