So I’m looking at this ad network, and I notice that some of its ads lead up to an Android binary download. Shady, right? Just the fact that there is an ad leading to a sideloaded APK is already pretty disturbing. I look around, find a whole family of those apps. For each app, at least half of all Virustotal vendors mark it as an SMS trojan, and so does Lookout.
So we contact well-meaning people who might be interested in hearing about those apps. They tell us it’s a false positive. I go back saying there is no way this could be a false positive, these apps send paid SMS messages and are recognized by top vendors as an SMS trojan. They argue back and still claim it’s an FP. So I run one of the apps in a sandbox, it’s basically a bunch of porn, but the first thing that shows up is a warning saying if the user continues with this app, it will charge X dollars via paid SMS for each video viewed. So I guess if they warn the user upfront about this, then they are legit?
So it seems, in this particular industry, it’s one way to bill the users. So going back to the
definition of mobile malware, how on Earth were the AV scanners supposed to read that initial warning to the user? By all characteristics available to machines, this app looked and acted exactly like an SMS trojan. That’s more bad news for mobile antivirus: since a large part of apps’ functionality is hidden on the server side, unavailable for signature matching, you end up over-analyzing whatever is left accessible to you on the device and detection starts to fall apart.
So contrary to some FUD reports, Google Play stays relatively malware-free. Which makes long-running apps like this one especially puzzling.
Enter The Videos Mania, which is active for at least about a year, has been downloaded between 100k and half a million times, and has ~7000 likes on Google+. Its developer has 8 other apps like ringtones and wallpapers, all of which require SMS permissions and all are reported as trojans by Lookout, though the Videos one is by far the most popular. The dude didn’t really bother fudging a proper-looking certificate, simply signing his creations as “DN: C=xx”.
This Videos app is marked by 31/54 Virustotal vendors as an SMS-sending trojan, so I’m just curious, doesn’t Google like own VT? Don’t they VT-scan the apps? Or maybe they do it once during app version releases, and if there are no VT alarms at the time, they never re-scan? Not sure, that doesn’t sound like Google. But here we are with this app, and some more of my favorites coming up in future posts.
When your dad emails you a very important link, you better open it, right?? Well, sometimes if you do that on your phone, you will be surprised to kick off a download from none other than:
and get yourself a file called security.update.apk, also known in some circles as Trojan.Android.NoComA.D. True story! All links still work perfectly as of this writing, 2 months after I got that email. Of course, I’ve not run run it, nor have I tried whether it will work with the “Play-APKs-only” option, but I will take it for a little baksmali session to crack it open and see what we can learn from it.
Why is this extremely important? Because no amount of Play policing will ever close this particular malware distribution channel. What can you do to protect your phone? As usual, only install APKs from trusted stores like Play, Amazon, etc. Turn off “Unknown Sources” in Application Settings. Also, get a malware scanner, the scum is multiplying and it’s getting here fast.