There are millions of people using Skype. In fact, early this year, Skype had reached 40 million concurrent users; all were signed onto Skype, all at once. And yes, it is widely available on mobile devices. Last week, a new piece of malware was spotted trying to take advantage of Skype's popularity, specifically targeting Android mobile users – we detect this threat as Trojan:AndroidOS/SMSFakeSky.A and Trojan:Java/SMSFakeSky.A. In this case, the cybercriminal's fraudulent scheme was to lure users to alternative sources for apps, by employing a neat trick with cloned, 'legitimate look and feel' apps and distribution websites.

For instance, myadroidma{redacted}.net is an Android Market look-alike, serving more than 50 different fake apps. The cunning activity surrounding these fake apps may extend to more nefariousness, where distribution affiliates spread to many webmasters (Note that fellow researchers who conducted an in-depth analysis on this topic are presenting at VB2012 with their paper titled 'Less aggressive, more effective: social engineering with paid archives'). Evidently, there is an incentive for cybercriminals to create this deceptive market mechanism, which enables them to deploy an advanced social engineering attack – where victims are easily exposed to manipulation and control.

The way for criminals to make money here is to have control over the SMS or MMS read, send and receive functionalities of the victim's mobile device. These functionalities are actually triggered by the fake app's UI, for example, the progress bar -- and thereafter require user interaction by pressing 'Agree' to continue the installation. Behind this interaction, the malicious app sends multiple SMS to premium numbers resulting in incurred costs to the affected user. The victim's interaction with these fake apps may lead to further social engineering tricks, such as requiring the user to install Adobe Flash Player to play certain content, but actually installing another malicious app.

Figure 1 – Installation of fake Skype and Opera Mini

The deception behind the UI controls is difficult for users to detect. It is likely that the malicious activity would cause mobile charges before the victim notices it, and this creates a large incentive for cybercriminals to continue perpetrating this fraud.

Just as you would when taking care of any valuable property, mobile users need to take appropriate security measures and precautions. In this case, we advise users to consider the following measures:

  • Download your apps from only legitimate and trusted sources. For example, Skype for Android is available at Google Play.
  • Install an antimalware solution for your device.

Example files:

Trojan:AndroidOS/SMSFakeSky.A - F4BBDCB9D560F03E4313ACC32A972973D84F0F8B
Trojan:Java/SMSFakeSky.A - 2FA7D316EB5B7DF281230C8FD81123CA559CC7D4
 

Methusela Cebrian Ferrer
MMPC Melbourne