Android malware found in seemingly legit versions of Opera Mini, Angry Birds. Always check permissions!

by: J. Angelo RacomaAugust 4, 2012

android malware

There is a new generation of Android malware, and authors are increasingly becoming sophisticated with their social engineering capabilities. According to security companies, there is a trend among malware makers that involves using hacked versions of real apps to deliver a malicious payload.

There are about 20,000 malicious Android apps in circulation, says Trend Micro. And about 13 million phones worldwide have been infected, says Chinese security firm NetQin. A big part of these involve remotely controlling smartphones into sending premium text messages, as well as spamming the phones’ inboxes with junk messages.

Real apps with real payloads

The inherent problem here, of course, is Android’s openness, which comes with both benefits and disadvantages. Because Google Play — and other app repositories — are not as strict in app approval as other platforms like, say, Apple , malicious applications can get through. Google will kill apps that are found to contain malicious payloads, but the damage may have already been done by then.

End-users may be lulled into a false sense of security in downloading only legitimate apps. However, downloading the same legitimate apps from dubious sources might come with some problems. Case in point: OpFake, which was found to have been embedded in a legitimate copy of Opera Mini.

The malware author will not just mimic the mobile browser, but will actually install the real deal — but not before sending an SMS to a premium number. Do keep in mind that the Opera Mini app available from Google Play is just the installer, and it downloads the actual app from Opera after install. This makes it easy for hackers to spoof the installer app, but download the real thing.

Android malware will usually come with payloads that do any of the following: call a premium number, send premium SMS, flood the phone with spam, or offer remote control access to hackers, thereby turning the phone into a bot for sending spam.

How to protect yourself against malware

Your Android smartphone and tablet already offers some defense against malware, but only if you’re vigilant enough to use it. This basically involves the user permissions that you approve when installing an app.

For instance, the OpFake malware bundled into a real Opera Mini copy seeks permissions different from the legitimate Opera Mini, which should already raise suspicions from anyone familiar with what permissions a browser should require.

Image credit: GFI Labs

The legitimate Opera Mini would only require the following:

  • Storage
  • Network communication
  • Your personal information

However, the OpFake version would also require the following:

  • Your messages
  • Services that cost you money

In a Fast Company article, Neil Ungerleider says the fact that an app seeks permissions for “phone calls,” “messages” and “services that cost you money” should already raise suspicions of a potential threat. Does a mobile web browser really need to initiate SMS messages and access services that result in carrier charges?

Going beyond malware, even poorly-coded applications can severely affect a smartphone’s functionality. A study conducted by Stanford university researchers has determined that poorly-designed mobile websites and mobile apps drain smartphone and tablet batteries at an accelerated rate. Even free applications that display ads are more likely to drain your Android device’s battery than a paid one without ads, as determined by Purdue research.

Even the best of us get hit by malicious software at least once in our computing lives. I must admit that even with vigilance, my notebook computer got hit by a hard-to-remove rootkit a couple of years back. That particular attack caused two weeks in lost productivity as I hunted for a way to remove it without reformatting.

Android smartphones should be easier to fix, with a quick factory reset and a re-sync of user data from Google account backups. But the headache and heartache over extraneous expenses from premium SMS and calls sent should be bad enough for any Android user.

The key here is vigilance. A quick glance at the app permissions before tapping “accept & download” may spell the difference between a safe system and an infected one.

  • Top Gear

    The idea that regular users should have to read and understand permissions is ridiculous. Google should do what Apple does and create a stricter app approval process for the Play Store. That way only experienced users will be able to download apps, either a new app store from the Play Store or by allowing downloads from other locations in Settings.

    • popomano

      But then if they do that .. there’s no reasons to go android

    • Jose Marie Maquinay

      With permissions visible, you know what the app can do, there is no guessing game. IF you install a malicious app without consulting its permissions, its mostly your fault. Remember, even the ‘almighty’ Apple App Store still gets malware (nothing is complete safe). Not to mention their app approval process is self serving (app conflict with Apple’s services = approval denied).

      • Top Gear

        IF you install a malicious app without consulting its permissions, its mostly your fault.

        That’s the same bullshit reasoning used to defend Windows for so many years. Go tell regular folks who use Android that ridiculous shit.

        But it’s Ok. They’ll come to the iOS platform looking for security, since idiots like you would rather keep your head in the ground on Android’s side.

        even the ‘almighty’ Apple App Store still gets malware (nothing is complete safe)

        Every study shows that malware is mostly an Android problem. There have been apps on iOS that did naughty things, but those were legit apps and Apple fixes it. None of them abused text messages to charge you money!

        Not to mention their app approval process is self serving (app conflict with Apple’s services = approval denied).

        A few apps conflict with Apple’s. Over 600,000 don’t and are approved and are malware free.

  • bridders

    Just use the official store, problem solved.

    Only fake stores deliver fake content. Just like the real world. If you buy gucci handbag down the market…

    This story is scaremongering tripe. I have I’m off elsewhere for proper tech news.

    • True. Use the official store and check the developer. If people download an opera app with just 1.000 downloads and unknown developer something goes wrong :)

  • trm96

    First of all why the hell would you sideload the opera mini browser that you downloaded somewhere on the internet? Second if you look at the install screen you can tell it’s fake without even looking at the permissions…

  • Joseph

    What would be really good would be if the operating system would allow the user to deny any suspect permissions.