Contributors: Shunichi Imano

October 2011 marks the eighth annual “National Cyber Security Awareness Month” to be held in the United States. One highly visible concern that makes this year different from previous years is the triple-digit growth rates that are being reported across the board by every antivirus vendor when it comes to threats discovered that target mobile devices. Although the main points made in these reports remain largely the same, it is clear that mobile malware has not only come of age, but that the growth rate has been unprecedented. An underlying message comes across loud and clear: indisputably, everyone agrees that criminals targeting mobile devices have become a force that is here to stay, becoming as ubiquitous as the devices/platforms themselves.

But just when you think you have seen it all, along comes another twist, demonstrating that there is no shortage of ideas when it comes to social engineering. Because of the so called “Hardware Fragmentation” issue surrounding the Android Platform, a popular online streaming video service in the U.S. had initially pushed an Android client app in a limited release to certain devices that provided the best user experience. Owing to the popularity of the service, it wasn’t long after the initial release that multiple unsanctioned developer projects sprung up attempting to port a pirated copy of the app to run on devices that were not officially supported.

The official app, which was initially released in the early part of the year, was only recently published to the Android Market with support for multiple devices. A gap in availability, combined with the large interest of users attempting to get the popular service running on their Android device, created the perfect cover for Android.Fakeneflic to exploit.

Android.Fakeneflic is a text book case of an information stealing Trojan that targets account information. The malicious app is not too difficult to understand. Despite the fact that there are multiple permissions being requested at the time of installation – identical to the permissions required by the actual app – our analysis shows that this is, in fact, a red herring, probably used to add to the illusion that the end user is dealing with the genuine article.

Divided into two main parts, the app is largely just a splash screen followed by a login screen where the user information is captured and posted to a server. At the time of writing this blog, it appears that the server where the data was being posted is offline. Furthermore, there appears to be no attempt to verify whether the data entered by an unsuspecting user was accurate or not. Once a user has clicked on the “Sign in” button, they are presented with a screen indicating incompatibility with the current hardware and a recommendation to install another version of the app in order to resolve the issue. There is no attempt to automatically download the recommended solution. Upon hitting the “Cancel” button, the app attempts to uninstall itself. Any attempt to prevent the uninstall process results in the user being returned to the previous screen with the incompatibility message.

A popular song from the early 80s goes: video killed the radio star, highlighting the rise of television and the demise of the radio as a mainstream medium. Android.Fakeneflic just goes to prove that “On Demand Content”, the next evolution of media, is not without its own demons. Not much in there for a song – maybe a country song perhaps? But one thing is for sure, this threat really makes you start to wonder: will television user manuals soon replace the section about adjusting the antenna for better reception with a section about how to run a full scan?!

Update [13 Oct 2011]: As noted above, Netflix customers that are looking for a legitimate Android Application developed by Netflix, Inc. can find it on the official Android Market. Downloading from trusted sources is part of practicing good security for your mobile device.