In an almost a week after Google making Android Market in to “Google Play” as it expanded from Android apps to wide contents, cybercriminals now started to exploit users of Android devices.
In a blog post
Micro, the emergence of many newly-created domains that imitate the Google Play
site, and which contain malicious apps.
“(One such) malicious URL (with a .ru suffix) displays a fake Russian Google Play site. When translated to English, the text reads: ‘Download Google Play for Android Google Play is formerly known as the android market but now a vast and influential old android market combined with a store of books google ebookstore multi-format films and world music google music,”
“If anything, this attack shows just how quick cybercriminals can adapt to the fast-changing mobile landscape. Users are strongly advised to practice extreme caution when dealing with apps and app stores in general,”
Trend Micro has warned clicking any images on the fake site as would take visitors to another malicious Russian domain that offers suspicious Android apps.
An attempt to download from the Google Play application, google-play.apk, from the URL would point to a malicious file detected as ANDROIDOS_SMSBOXER.AB.
The said ANDROIDOS_SMSBOXER.AB will send user to another malicious website.
Trend Micro said ANDROIDOS_SMSBOXER.AB is a premium abuser type of mobile malware, which subscribes affected devices to premium services without the permission of the user, thus leading to unwanted charges.
Also noted by Trend is the similarity of ANDROIDOS_OPFAKE.SME, an Android malware that gained notoriety for its ability to polymorph, or change its characteristics.
On the other hand, it noted the server that hosts ANDROIDOS_SMSBOXER.AB inserts unnecessary files into the APK to evade detection.
Threats Analyst Kervin Alintanahin was quoted saying this cannot be considered true polymorphic behavior, since no significant change is done to the APK’s source code.
“Due to this, security software can still easily detect the malicious files,”