For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites. We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software.

The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family.

Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files.

In one case, when we compare the file CRCs of two downloads, we can see that the only meaningful change happens in “res/raw/data.db”. The other changed files in META-INF contain signature data for the package so that they are just reflecting the fact that the res/raw/data.db has been modified.

File CRC Filename Installer.APK SKACHAT.APK 9dc48f61 074c54b5 META-INF/MANIFEST.MF b1377893 42ecb534 META-INF/ALARM.SF 248c37f7 65105b65 META-INF/ALARM.RSA 40659b25 40659b25 AndroidManifest.xml bbd88c2d bbd88c2d resources.arsc 7a3498c4 7a3498c4 classes.dex 6129f361 9e488e9e res/raw/data.db 27bc873d 27bc873d res/drawable-hdpi/logo.png 27bc873d 27bc873d res/drawable-ldpi/logo.png 27bc873d 27bc873d res/drawable-mdpi/logo.png fa11bed8 fa11bed8 res/drawable-hdpi/icon.png fa11bed8 fa11bed8 res/drawable-ldpi/icon.png fa11bed8 fa11bed8 res/drawable-mdpi/icon.png

This means that they share exactly the same code (stored in classes.dex), but that the data is variable. Examining the code, we see that res/raw/data.db contains a database of network operators with a list of premium numbers and messages that are to be sent if the user is tricked into running this malware. The content of those SMS messages is changed with every download, thereby producing unique files.

In another case of OpFake, the polymorphism was achieved using a different technique. We noticed that there were APKs where all of the code and data files were identical and just the manifest and signature files were different:

CRC Filename 311fa59a META-INF/MANIFEST.MF 86f1655e META-INF/CERT.SF ed814261 META-INF/CERT.RSA 02568138 AndroidManifest.xml 5539013f classes.dex c9805df6 res/drawable-hdpi/icon.png c9805df6 res/drawable-mdpi/icon.png c9805df6 res/drawable-ldpi/icon.png 1d66a094 res/layout/offert.xml b93210cd res/layout/grant_access_to_content.xml 169b2a86 res/layout/main.xml 30fe74be res/raw/activation_schemes.cfg aca144d2 res/drawable/progress_finished.xml 3367b765 res/xml/countries.xml f3087726 resources.arsc 88a24ad9 0.temp 88a24ad9 1.temp 88a24ad9 2.temp 88a24ad9 …

Here the polymorphism is achieved by simply re-ordering the code and data files within the application package. When the package is created, the differences in file ordering will cause different manifest and signature files to be created.

Finally, the packages also included dummy .temp files. We have seen upwards of forty of these dummy files in a single package. However, the number of dummy .temp files may change with each download providing even more permutations each time the application is downloaded. Interestingly, the .temp files do not seem to be used by the threat in any way and they all contain this mysterious picture:

Once the packages are downloaded and installed on the phone, SMS messages are automatically sent and the browser opens certain websites that are hosting further malware and/or the actual legitimate Android applications. Below are some examples of the fraudulent sites that are participating in the distribution of the malware:

While all of the distribution sites that have thus far been discovered are in Russian, the packages have the ability to send SMS messages not just in Russia, but also in other countries across Europe as well as countries like Australia and Taiwan. The following countries are affected by this threat:

Armenia

Australia

Austria

Azerbaijan

Belarus

Belgium

Bulgaria

Czech Republic

Denmark

Estonia France

Georgia

Germany

Ireland

Israel

Kazakhstan

Kyrgyzstan

Latvia

Lithuania

Netherlands Norway

Poland

Portugal

Russia

Spain

Sweden

Taiwan

United Kingdom

Ukraine



Though server-side polymorphism is used here, Symantec’s Norton Mobile Security protects customers against the automatically generated variants. We also block access to the websites hosting the Android package with Web Protection. We always advise people to download applications from sources they trust and also to be cautious about what permissions you are giving the applications. For example, Android.Opfake will always request the capability to send SMS messages as can be seen below.

Update February 2, 2012:

The "unidentified" individual in the mysterious picture has been identified as Свидетель из Фрязино. Thanks to Sean Sullivan of F-Secure for the information. The man is known for being digitally manipulated into various photographs.