So Much For Bouncer: New Android Malware Uses Facebook To Spread

Even though Google recently introduced a malware-blocking system called Bouncer to keep the Android Market safe from malicious software, crafty spammers and fraudsters are still managing to find ways around the restrictions to get their software onto users’ phones. The latest example? A malware program disguised, innocuously, as an Android app called “any_name.apk.” And it appears the malware is using Facebook’s app on Android phones in order to spread.

The software was discovered by security firm Sophos, which came across the malware after receiving a Facebook friend request. When checking out the user’s profile, the researcher, Vanja Svajcer, found a link posted to the requester’s Facebook profile page that, when clicked, directed the browser to a webpage which started an automatic download of an unknown software application to the device.

The software installed and downloaded immediately, without any request for authorization or input from the end user. However, although Svajcer doesn’t mention this in his analysis, for software to automatically install from outside the Google Android Market, the phone’s default settings must have been changed. Typically, Android phones are shipped with a setting switched on that prevents mobile apps from installing from sources besides the official Android Market. Many savvy Android users switch this setting off, though, because they enjoy the freedom that Android provides in discovering apps from alternative app stores and download locations – like the treasure trove that is the XDA Developers forum, for example.

Unfortunately, malware like this is the nasty side effect. And there’s nothing Bouncer can do about it. The link the researcher clicked did not appear to be an APK file by nature of its URL, just a typical website. And it was placed into the user’s About Me section on Facebook, as if it was a link to that person’s homepage.

Of course, many folks would simply ignore a friend request from someone they didn’t know, but curiosity often gets the better of us. (Do I know them? Did we meet at some point, and I forgot?) One errant click, and oops, you’re infected.

In this particular case, the malware in question appears to be a program designed to earn money for fraudsters through premium rate phone services, a scam popular outside the U.S. for the most part, which involves having unsuspecting users send out text messages to premium rate numbers (those that charge). The scammers, who are operating the numbers, end up collecting the money from the victims’ accounts.

The app attempts to associate itself with the Opera browser, and an encrypted configuration file contains the dialing codes for all the supported countries where the premium rate numbers are hosted.

As a side note: a few days later, the researcher visited the same URL, but was directed to an all-new website where another APK file was automatically downloaded (hilariously called “allnew.apk”). This one was functionally similar, but different on the binary level, indicating it was a new variant of the same malware.

Maybe it’s time for Android’s Bouncer guy to get pre-installed on handsets, too?

UPDATE: We spoke to Google about this issue, and they’re telling us that the software installation process portrayed in the Sophos video could not have occurred as demonstrated. Even with an off-market, malware-ridden APK file, the app would have downloaded to the device, but additional user-initiated steps would need to have taken place before the software installed and ran as shown. We’re still awaiting a response from Sophos on that front.

To be clear, Bouncer is a good first step towards protecting Android users, but regardless of what methods are used to lock down the Android Market, spammers and scammers can always find another way in.

UPDATE #2: We reached out to the researcher, and here is his response.

The malware is downloaded but not automatically installed. That’s why the video just shows the download. But for ordinary users it could still be a serious attack. In my experience, they rarely check the permissions when they install an app.  Simple social engineering tricks could be used to then trick them into installing the app. 
 
 So, although this does not exploit some Android vulnerability, it is an interesting combination of a web based attack that caters for Android devices.  And it is, of course, interesting to see Facebook being used by Android malware purveyors in this way.