While the malicious applications looked like free copies of well-known programs, including Angry Birds, in reality they were all just differently skinned versions of a malicious application known as RuFraud, which is designed for the purposes of SMS toll fraud. That means that the developer causes the phones to send messages to premium numbers, thus generating profits for whoever owns that number.
Google has already removed the malicious applications.
To date, there have been three waves of RuFraud attacks. The first began last week, when attackers posted nine malicious apps to the Android Market that were identical, but skinned in different ways to make them more appealing. For example, one pretended to be wallpaper for the Twilight movies, while others claimed to be downloaders for such games as Angry Birds and Cut the Rope.
[ What is your biggest security problem? Read Database Security's Biggest Problem: People. ]
This week, meanwhile, horoscope applications containing RuFraud were posted to the Android Market. After Google removed those, fraudsters "posted 13 new supposed downloaders to the Android Market, once again positioned as free versions of popular games," said mobile security vendor Lookout. Whereas earlier malicious applications had been downloaded by relatively few numbers of people, it said that "these apps may have reached a broader audience while published to the market: We estimate upwards of 14,000 downloads of these apps."
The titles of the cloned games in question range from "Cut the Rope FREE" and "Assassin's Creed Revelations" to "Angry Birds FREE" and "Talking Larry the Bird Free."
The apps disclose on their permission screen their request to send SMS messages that may cost the user money. Interestingly, in at least some cases, buried in the RuFraud software's terms of service is a warning that using the application might result in SMS charges. "The initial application activity presents the user with a single option to continue, which is presumed to be an agreement to premium charges that are buried within layers of less than clear links," according to a blog post from Lookout, which discovered the malicious applications.
Based on the premium short codes coded into the application, the attack "could affect users in Russia, Azerbaijan, Armenia, Georgia, Czech Republic, Poland, Kazakhstan, Belarus, Latvia, Kyrgyzstan, Tajikistan, Ukraine, Estonia as well as Great Britain, Italy, Israel, France, and Germany," said Lookout. "North American users were not affected as the fraudulent SMS code is gated on the user's country (as indicated by their SIM)."
Vanja Svajce, a principal virus researcher at SophosLabs, said in a blog post that these attacks--executed by the malicious developer known as Logastrod--follow an established Android Market pattern: clone a real app, add malicious capabilities, then upload it back to the Android Market or another application store, pretending it's the real deal.
Likewise, RuFraud exploits a well-known Android attack vector. "Misusing premium SMS services is the most common model for malicious mobile malware," he said. "When a malicious app is installed, it starts sending or receiving messages, which makes the installation very expensive for the user. The damage is often seen only when it is too late, once a monthly bill is received."
Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)