Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Activity emulated

Read: 4875 Comments: 2 Rating: 43

Thursday, February 16, 2017

Imagine a program that downloads another program and leaves feedback about whether it liked the software. Sounds crazy, but…

Android.Skyfin.1.origin uses information it’s collected to connect to Google Play and imitate what Play Store does.

The Trojan can send the following queries:

  • /search – search the catalogue to imitate user actions;
  • /purchase – send a request to buy an app;
  • /commitPurchase – confirm a purchase;
  • /acceptTos – accept the license agreement terms;
  • /delivery – request an apk-file download link;
  • /addReview /deleteReview /rateReview – add, delete, and rate a review;
  • /log – confirm a download to artificially inflate the installation counter.

Once Android.Skyfin.1.origin downloads the application specified by intruders, it doesn't install it, but rather saves it on the SD card, so the user never sees the new applications that appear out of nowhere.

Why do you think malicious programs spend your money to buy applications on Google Play instead of just stealing the funds? Let’s immediately discard the notion that a software collector wound up on a device or someone engaged in ongoing research wanted to know how many applications the Trojan could download before the user would notice anything.

It’s much stranger than that. It’s clear that users looking for an application they need, or just a good game, don’t want to end up with a program that is an unknown quantity, especially if they need the program for work. No one wants to lose their data. So it's quite logical that users rely on other people's reviews, ratings, and the number of installations—after all, how else can they determine whether a program is good or bad? That's why programs such as Android.Skyfin.1.origin exist; it’s their job to inflate the number of downloads and post glowing reviews.

Criminals who spread such malware work for other virus makers and legitimate software developers who want to increase sales using somewhat dishonest means. That's why it's not only about inflated ratings. Negative reviews about competitors’ products are also common.

Any individual or company can register on Google Play as a developer and upload any applications into the catalogue. All uploaded programs are checked, but virus makers never stop devising new tricks to bypass those checks, and every now and then, they do succeed. If an account under which criminals have uploaded malware to Google Play gets suspended, they merely create a new one.

#security #mobile #Android: #Google_Play

The Anti-virus Times recommends

  1. Read the reviews, but do so carefully. A large number of similar positive or negative reviews always appear suspicious. Always look for detailed feedback—it is more likely to be provided by real people.

    Unfortunately, fraudsters can employ "real" users too. There are services that reward handheld owners for performing certain actions on their smart phones and tablets. Reviews generated this way appear more natural. But because the quality of these reviews still leaves much to be desired, you may still be able to recognise that the feedback is fake.

  2. If you see that a lot of reviews were submitted shortly after an application appeared on Google Play, be suspicious.
  3. A lack of detailed reviews or a huge number of downloads or an extremely high rating for a brand new application also seems strange. Someone will always be unhappy with a program.
  4. But a program shouldn't request access to features it’s not supposed to use. Read the list of requested permissions beforehand, and if it appears suspicious, cancel the installation.
  5. Install an anti-virus. Statistics show that the number of malware downloads is huge. Five hundred thousand users downloaded Android.Spy.134 and Android.Spy.135 from Google Play; Android.MulDrop.924 was downloaded 1,000,000 times; 2,800,000 Android.Spy.305.origin downloads...
  6. Check whether the developer has an official website. Make sure that the developer’s company name matches the name that is provided on the site. Use the link on the developer's site to go to Google Play and download the program.
  7. Unfortunately, a developer’s popularity not only guarantees that their applications are of high quality, but also encourages criminals to make programs that look similar to the top-rated ones or have similar titles. Stay vigilant and read titles carefully.

    Fake Dr.Web for Android programs appear regularly. If you come across an application of this sort, please send us the link or post a review and describe how the app differs from our product..

And a final point. Once you refuse to use an anti-virus and let malware infect your device and raise a download count, you become an accomplice to fraud. Of course, you aren’t doing anything illegal yourself, but because of you, other people will fall for the trick.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.