New Tactics Helping Toll Fraud Malware on Android Avoid Detection

Malware intent on SMS fraud, also known as toll fraud, has been a constant on mobile platforms, Android in particular, for some time. And FakeInst is definitely king of the hill when it comes to this type of malware. Prevalent in Russia and the rest of Eastern Europe, the malware poses as popular applications, free games or screensaver and once installed, sends premium SMS messages to a service controlled by an attacker. The malware also intercepts messages confirming the charges from wireless providers and ultimately, the user is socked with a massive phone bill while the attacker quietly cashes in. A recent report from Lookout Security said toll fraud malware accounted for 91% of mobile malware and FakeInst malware has netted more than $10 million this year for the attackers behind the malware.

Malware intent on SMS fraud, also known as toll fraud, has been a constant on mobile platforms, Android in particular, for some time. And FakeInst is definitely king of the hill when it comes to this type of malware. Prevalent in Russia and the rest of Eastern Europe, the malware poses as popular applications, free games or screensaver and once installed, sends premium SMS messages to a service controlled by an attacker. The malware also intercepts messages confirming the charges from wireless providers and ultimately, the user is socked with a massive phone bill while the attacker quietly cashes in. A recent report from Lookout Security said toll fraud malware accounted for 91% of mobile malware and FakeInst malware has netted more than $10 million this year for the attackers behind the malware.

The news gets worse. Researcher Fernando Ruiz of McAfee, who has examined the Android.FakeInstaller mobile malware family, reported that he’s seeing new features to help the malware avoid detection by security products, including server-side polymorphism, obfuscation, anti-reversing techniques and frequent recompilation.

“The spread of this malware increases every day,” Ruiz said.

Polymorphism is one feature leading to the malware’s success. Ruiz explains that the server can provide different APK packing files for the malware, even from the same URL. That APK also has a customized identifier that is associated with the victim’s IP address.  

The attackers have also expanded the range of SMS numbers the malware can reach out to by having it get the mobile country code and mobile network code of the device that’s been infected and search for premium-rate messages based on that location.

Attackers have also developed new means of obfuscating the executable files, or DEX files, written for Android. Ruiz said most recent versions of FakeInstaller malware include different recompiled obfuscated versions of the same source code, or that attackers have changed source file names, line numbers, field names and more.

By using obfuscating programs such as ProGuard or DexGuard, Ruiz said, malware writers can make it much more difficult to reverse engineer the malware by replacing all those source names with meaningless character sequences.

His research has also spotted a constantly changing array of fake websites and Android application marketplaces that spread the malware and have strong search ratings in search engines such as Yandex.

“Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code and techniques to try to avoid antivirus software,“ Ruiz said. It’s an ongoing struggle, but we are constantly working to keep up with their advances.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.