Over 60 percent of Android malware comes from one malware family: McAfee

As the popularity of Android has grown, so has the number of hackers and malware targeting it. However, it has now been revealed that a majority of threats for Android originate from a single malware family, Android.FakeInstaller.

According to a report by cyber security firm McAfee, malware from the FakeInstaller family accounts for more than 60 percent of all Android threats the firm processes. The FakeInstaller malware masquerades as popular apps, and once installed by users, generates revenue by silently sending SMS messages to premium numbers without the user’s consent. McAfee states that there are a large number of variants for this malware, and it is distributed on hundreds of websites and fake markets.

This malware has apparently been hugely effective as people tend to fall for fake apps quite easily. What’s more, McAfee states that such threats are growing dangerous as they are implementing advanced techniques to circumvent detection such as server-side polymorphism, obfuscation, antireversing techniques and frequent recompilation.

McAfee states that the deception starts when users search for a popular application and access a fake official site or fake market via search engines or social networks. Applications usually appear to be legitimate, including screenshots, descriptions, user reviews and videos, as a result of which unsuspecting users fall into the trap and install the malware.

Android more exposed to malware than Apple devices

Andriod.FakeInstaller masquerades as legitimate apps and takes your money.



After installation, when Android.FakeInstaller is executed, it displays a service agreement that tells the user that one or more SMS’ will be sent; this agreement has apparently been found in Russian or English. The user is then forced to click an Agree or Next button, which sends a premium SMS message. McAfee reveals that it has come upon versions of the malware that send SMS messages before users even see or click a button. Often, fake progress bars are displayed to make users think some process is taking place.

There are also versions of FakeInstaller that besides sending premium SMS messages, also include a backdoor to receive commands from a remote server. A variant, FakeInstaller.S uses “Android Cloud to Device Messaging” to register the infected devices in a database and send them messages (URLs) from malware authors Google accounts.

McAfee states that previous versions of FakeInstaller were meant only for Eastern European users, but the developers of the malware have expanded their code to include other countries - adding instructions to get the Mobile Country Code and Mobile Network Code of the device. Based on that information, Android/FakeInstaller selects the premium-rate numbers and the text for the SMS messages.

The Android.FakeInstaller malware familly’s effectiveness and money-making ability has motivated malicious app writers to keep updating and improving their malware. Moreover, new fake markets and fake websites spring up almost daily, and are hard to keep track of. These sites often redirect queries for app downloads to the malicious version of the app on a different server.  McAfee states that it has also seen fake-site URLs shared via Twitter by bot accounts and fake Facebook profiles.

“Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software,” McAfee states.


How to stay secure? Simple: Don't install any app from outside the Google Play store or follow links on strange websites. Also, it wouldn't hurt to install some sort of antivirus on your smartphone.

Published Date: Oct 12, 2012 18:08 PM | Updated Date: Oct 12, 2012 18:08 PM