Since our discovery, the server-side polymorphic APK malware called Android.Opfake has continued to evolve, modifying the algorithm for its polymorphic functionality used to evade detection. It also continues to change the names of the applications it pretends to be and is creating countless domains to host its malicious files. Now the developers of the threat appear to be making a major upgrade. This can be seen from the permissions the malicious apps request during install. Typically, old variants used to only ask for permissions like the following:
The permission to send SMS messages was essentially all the malware needed to charge the owner of the compromised device premium SMS rates. Now, the malware wants permissions to read contact data, modify and delete content on the SD card, and automatically start at boot, among other things:
Not only does it still send premium SMS messages, the latest variant posts the phone number of the compromised device on to a predetermined server, notifying the attacker of the infection. There is also a back door running in the background, waiting for commands through SMS. When a message containing a certain string is received, the malware reads it as a command from the attacker and, depending on the instructions, performs the following actions:
- Send details such as the IMEI, IMSI, or any received SMS messages
- Send SMS messages
- Configure the URL that communicates with the server
- Update or remove rules used by the malware to process the SMS messages received
- Issue HTTP GET requests
- Exfiltrate the contact list on the device
- Download .apk files and store them on the SD card
The malware is keeping itself alive by running in the background and automatically starts if the device is rebooted. There is also code that attempts install downloaded .apk files, which could be updates of the malware. However, it lacks the permission to do so in the current version.
Developers of Android.Opfake continue to invest a lot of time and effort into their malware, so it’s not surprising to see this update. It’s likely we will see this evolve even further, so long as it’s profitable. Symantec’s Norton Mobile Security detects this variant as Android.Opfake.B. We will continue to monitor the attack and note any significant changes we observe.