There is a new variant of the OpFake mobile malware making the rounds, and this version comes bundled with a version of the legitimate Opera Mini mobile browser. The malware targets Android phones and steals money from victims by sending SMS messages without the user’s knowledge to premium-rate numbers and also collects data about the device it infects.
Researchers at GFI Labs discovered the new variant of OpFake in recent days, and found that, unlike older versions of the malware that disguised itself as Opera Mini, this version actually downloads a copy of the mobile browser. The attackers have set up a fake Opera Mini Web site that encourages users to download the browser. Clicking on the link on the site begins the installation routine for the malware, downloading a package called “opera_mini_65.apk”.
“During installation, two sets of “Permission to Install” pages are displayed to smartphone users: (1) The first set comes from the malware itself. As you can see, it asks for read and modify rights to all SMS and MMS messages, read rights to all contacts stored on the smartphone, and modify or delete rights to the SD card, among other things,” Jovi Umawing of GFI Labs wrote in an analysis of the malware.
Once on the infected Android device, the malware will redirect the user to a legitimate download page for Opera Mini, making the installation of the malware seem more authentic. If users choose to install the browser, the actual Opera Mini browser will show up on their phone. But the malware already is working in the background.
Its first action is to send an SMS message to a premium-rate number controlled by the attackers. The infected Android also connects to a command-and-control server to retrieve instructions for the malware. Here is some of the data that the OpFake malware collects from each infected device, according to Umawing:
- Country location
- Operator name
- OS version
- Phone type
- Device ID (IMEI)
As Umawing points out, the best idea for mobile users is to download apps only from the official app stores of the platform provider. That’s easy on iPhones, because there’s no real choice, but for Android users, there are a slew of alternative markets and sites that offer Android apps. It can be difficult to determine which ones are legitimate and which are malicious, so staying with the official Google Play market is the safest option.