Malware authors creating fake Android markets where they provide a familiar look and feel of the real Google Play to exploit users is not a new concept, and we’ve talked about it in previous blogs.
Recently, we’ve found fake markets that are created with such detail that it’s almost hard to tell the difference between which is real the real Google Play and which is a scam.
The Android Trojan Obad is back in the news due to its new methods of delivery — teaming up with the makers of SMS Trojans to spread their malware.
One method uses spam to get SMS Trojan installed. Once installed it then goes through the victims contact list and spams them with links to Obad.
Kaspersky Labs has a nice write-up about how Obad has evolved and how they use a very good fake Android market as another delivery method. This Play Store looks to be a mirror of an older version of the legit Play Store, with Russian as its original language.
Even how the URL’s are constructed and point to each app’s landing page is very similar. I doubt many users pay attention to the URL and are aware that the URL contains the apps Package Name, the unique identifier for an app (com.skype.raider in images).
Fake Play
Upon visiting this fake Play Store apps are immediately downloaded to your desktop or mobile device. Definitely a few more steps to get the downloaded from the legit Play Store. It’s a pretty good fake and obviously took a bit of effort to build.
I’ve always believed the premium-SMS Trojan is a very profitable malware model. Their creators effectively use fake markets to get installs, it makes sense for other malware to start using the same methods.
Legit Play
Maybe it’s the same gang, after all it would be pretty trivial for them to change the malware on their servers.
Over the last few days the fake site has been serving up the same version of Obad. We will be monitoring to see if new malware variants appear before the site is shutdown.
Just a reminder to not venture too far from your trusted source for Android apps. The Android ecosystem still looks like the Wild West, as it was labeled a few years ago, but better to stick with it than get exploited.