The Top 15 Cloned Android Apps and Games Posing as Trojans

Malware authors are cashing in on the Instagram-Facebook craze with their fake Instagram app for the Android platform.

The fake Instagram app is actually a Trojan in disguise, dubbed as “Andr/Boxer-F” by Sophos, who discovered the malicious apps.  The malware authors made fake websites that advertised the fake Instagram apps.  What the evil apps do is secretly send international texts, which generates a lot money for the malware authors, and empties out your wallet.

An article in ZDNet features the photo of a man, whose identity is unknown, which could be the author of the malware, a relative, a friend or just some random Joe.  The photo is said to be included multiple times in the .apk file of the malicious app.  Sophos believes that the inclusion of the photo in the file multiple times is to change the fingerprint of the file so that it will not be detected by antivirus softwares.

This is the hazard of having an open platform as there are many stores that offer their apps.  Instagram is a free app, so I’m not really sure why people would be downloading this outside of Google Play.  The only reason I can think of is that their device isn’t supported by Google Play.  But if you have Google Play, better get your apps from them.  It will save you a lot of money.  And for those interested in downloading Instagram for Android, click here for the official app.

The fake Instagram app is just one of the fake apps that recently surfaced.  Last week, Sophos warned that a fake Angry Birds Space was spotted in unofficial Android stores.  Just like the Instagram app, the Angry Birds Space app is also a Trojan, identified as  Andr/KongFu-L.  It appears like a fully-functional version of the game but uses the GingerBreak exploit to gain root access to the device, and installs malicious code.  The Trojan then communicates with a remote website to download and install further malware to the compromised device.   Authors of the malware send instructions to the compromised device to download more codes or push URLs to be displayed in the smartphone’s browser.  The compromised device becomes a botnet controlled by the author.

McAfee recently published that malware-laced apps are also found in Google Play, uncovering 15 apps capable of stealing users’ data.   Carlos Castillo of McAfee stated that the Trojan targeted Android users in Japan, masquerading as apps offering to display trailers of upcoming Android video games, anime or Japanese adult videos.

In January of this year, Symantec published a list of infected apps that users should definitely avoid as they allow remote accessing of user data.  The list featured the following apps:

  • Counter Elite Force
  • Counter Strike Ground Force
  • CounterStrike Hit Enemy
  • Heart Live Wallpaper
  • Hit Counter Terrorist
  • Stripper Touch girl

From Ogre Games

  • Balloon Game
  • Deal & Be Millionaire
  • Wild Man

From redmicapps

  • Pretty women lingerie puzzle
  • Sexy Girls Photo Game
  • Sexy Girls Puzzle
  • Sexy Women Puzzle

Cybersecurity experts are predicting that these incidents are just the start of malware invading the Android platform.  They’re expecting a widespread attack in a couple of months.

“In the next couple months, I’d expect a big Android attack that’s going to be very widespread,” Jacques Erasmus, chief information security officer with Webroot, a cybersecurity company, said.  “It’s going to be Android, because it’s an open platform–there’s much less regulation in terms of the app store that makes it much easier for criminals to target. Obviously, the Apple user base is massive, but I think that attack is going to come later.”

So what are we going to do when a huge wave of Android malware hits?

If you’re an Android user, be sure to get your apps from legit stores; go to shady markets and expect that you’ll get not only the app you wanted but a bonus bit of malware as well.
Amazon, which has their own Android store, suggests code obfuscating to developers, which modifies the source and machine code of the app so it would be difficult for a human to understand if your app gets decompiled, and it also eliminates the possibility of reverse engineering apps and cloning them.

Amazon recommends Proguard – a code obfuscation tool – provided once the Android SDK has been downloaded.  Proguard shrinks, optimizes, and obfuscates the source code of the app.