Android Trojans Pose as Legit Security Applications

Android malware authors have began passing their creations as legit security applications, trojans posing as Kaspersky Anti-Virus and Trusteer Rapport being seen so far.

Spoofing security software is common with desktop threats, particularly scareware applications that immitate antivirus programs. However, the trend is relatively new with mobile malware.

The Android trojan that poses as the Trusteer Rapport security application is actually the new ZeuS-in-the-mobile (Zitmo) variant discovered by security researchers recently.

Researchers from Kaspersky have found web pages generated by a desktop ZeuS variant which informs users about a new mobile security app for online banking.

Users are asked to choose their mobile operating system and if Android is selected, they are served an .apk file which installs the fake Rapport application.

The application is actually quite simple. It monitors SMS messages and send copies of them to a remote server. This is done in order to intercept mobile transaction authentication numbers (mTANs).

Meanwhile, security researchers from Sophos have came across an Android trojan that poses as Kaspersky Anti-Virus 2011. The application appears to be a test and not an actual malicious trojan, but is a good indication that malware creators are juggling with the idea of impersonating security vendors.

Similarly to the Zitmo component, after installation, the fake Kaspersky app tries to generate and display an activation code. After this it, it intercepts SMS messages and sends them to a remote server.

"Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.

"Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server," concludes Vanja Svajcer, a principal virus researcher at SophosLabs.