ANDROIDOS_RUFRAUD.A

December 15, 2011
 Analysis by: Karl Dominguez
 THREAT SUBTYPE:

Premium Service abuser

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan is disguised as a downloader of popular Android applications. It is a premium service abuser that targets users with Android-based devices in several countries such as Russia and Germany.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

APK

Initial Samples Received Date:

14 Dec 2011

Payload:

Sends messages

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

NOTES:

It disguises itself as a downloader of popular Android applications.

It displays the following terms of subscription if the Rules button is clicked:

It sends the message 69229 to the following premium service numbers depending on the country. It also monitors and deletes text messages received from these numbers:

Country Number
Azerbaijan 9014
United Kingdom 79067
Armenia 1121
Belarus 7781
Germany 80888
Georgia 8014
Israel 4545
Kazakhstan 7790
Kyrgyzstan 4157
Latvia 1874
Lithuania 1645
Russia 1121
Poland 92525
Tajikistan 1171
Ukraine 7540
France 81185
Czech Republic 9090199
Estonia 17013

It connects to the following URL to download the version of the purported application.

  • http://{BLOCKED}.{BLOCKED}3.175.148/app/{Legitimate Application Name}

  SOLUTION

Minimum Scan Engine:

9.200

VSAPI OPR PATTERN File:

8.645.00

VSAPI OPR PATTERN Date:

14 Dec 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as ANDROIDOS_RUFRAUD.A If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

TREND MICRO MOBILE SECURITY SOLUTION

Trend Micro has released an integrated solution for mobile devices, which provides automatic, real-time scanning to protect wireless devices against malicious code and viruses on the Web or hidden inside files. Download Trend Micro Mobile Security for Android.


Did this description help? Tell us how we did.