Rogue APKs continue to find new homes

by Armando Orozco

We’ve been tracking rogue premium-sms Android apps for sometime now. Here’s an interesting site we came across offering a download of the Google Music application, but this one comes with a cost. This site serves up a premium-sms Trojan of the ransom variety. Targeting Russian speakers these Rogue’s, we call Android.FakeInst, offer to give access to the app but for a fee.


People who install this rogue will be charged a fee of 3 premium rate test messages. There is some randomization that takes place with the app. The overall code doesn’t change, but md5 checksum changes with each download and every couple of days the package name will change.

These malicious sites must be very successful and profitable, they continue to pop-up everywhere. A few weeks ago members of the crew who distributed the Foncy SMS Trojan were arrested in France, they and profited around $150,000, not too bad. Remember when downloading Android apps choose them wisely and download from a trusted source. Check reviews, research the developer and verify permissions requested before downloading.

2 thoughts on “Rogue APKs continue to find new homes

  1. I have a concern that the apps in the software for Best Buy, HP, Dell, Walmart etc, any company that puts a app in their software for instance Dell support center or dock has a down loader invader in it. Double anti spyware found it as did avast. My laptop so infected. It came that way. I took 5 computers back, hp, Walmart, Sony, Toshiba, because spyware and invader was found on them. I could be wrong but don’t think so. My laptop is a year old I have had 3 hard drives one replacement laptop and I am getting hard drive errors on this one. unfortunatly my warranty is out.
    I do like Webroot it is a strong an powerful software.

  2. Pingback: Beware of Fake Adobe Flash Apps « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s