Thursday, March 15, 2012

Android Opfake aka FakeSMSInstaller

File:  opfake
Sample Credits:   with many thanks to  anonymous, March 12, 2012
Android.Opfake.B Adopts Bot Tactics

Download  - password infected 

  MD5 list

File: com.adobe.flash.player.apk  MD5:  b8c22ab1c3c622c3b5e0489971be6f2cFile: com.andorid.mirror.ap MD5:  75e5efa00de3255483dbffc8c8a19365
File: MD5:  e76d0b2d5623ba75982edcb4e3ec4a81
File: MD5:  b4b6162ed5ff5e9c25e418482d620fe9
File: MD5:  1faf991b54239978d04bee8e908ead58
File: MD5:  e0e5cd48d087c54b0df1e87edacead2a
File: MD5:  3a3f20c5fcd0c402d9ce5f1f6b5fa9a8
File: MD5:  9974a3d53109eb99106ed10802d688ca
File: MD5:  e138559b9ac516a3ad85392712451d61
File: MD5:  f401d1837501ddbf4dfc3bfcc8bf1d2a
File: MD5:  5bbcb4b413c15852472c628475c3837e
File: MD5:  00132c17842222503e85e71d3ddbddcd
File: MD5:  d5961d800219450887e7970f288a9117
File: MD5:  b5fcb20ac121e2cf30151c7477e3cf7e
File: 7c50a08472732593558ee18fc48693052b205e45428d0163df7f5346dd4e8bf5 MD5:  88021914beb34165d78832aa5cf4cc3e
File: 83c4aa1deb06060db6fae4e13630ed18c6ebe6babc187443b5f4c265c2ee074f MD5:  6eb32f05e6b1972c68df382fab7aa636
File: 146c3f0f068813360b255b4687aaa0ae862a1daa8c44f51207007f6a42bdbb09 MD5:  e6dbee1bc8e1eaf443abf37aff5532e1
File: 3033f4621dfa13627d93059dca0d7ff4c587bd6d875d26eff00684b976505c18 MD5:  2fc4bbdb1dcdeb7e99f1f176dd1f8d74
File: d4fc8ae95d8385bd46f9c75f7e7d435c84bafc6cf724b5f0b8ffbebd571de5b6 MD5:  b27a1844acea58ae491c017a07ba13fd
File: d7d2fdba0cddd60aaabf4c7e6eb871e169dc2fed323c4c73801944d85bc634bf MD5:  9252b9efcaca2a5e2286d5097542f362

SHA256:     c4e2756619215b975800cf25be1d3c4d370db8ceaee3dfcfed6337da41c31069
SHA1:     46958078c2c0eff931264dbe4ae0155177969a0e
MD5:     e76d0b2d5623ba75982edcb4e3ec4a81
File size:     142.4 KB ( 145841 bytes )
File name:
File type:     ZIP
Detection ratio:     16 / 43
Analysis date:     2012-03-14 09:11:48 UTC ( 1 day, 19 hours ago )
Antiy-AVL     Trojan/AndroidOS.Opfake     20120314
Avast     Android:OpFake-N [Trj]     20120314
BitDefender     Android.Trojan.FakeInst.P     20120314
DrWeb     Android.SmsSend.344.origin     20120314
Emsisoft     Trojan.AndroidOS.FakeInst!IK     20120314
F-Secure     Android.Trojan.FakeInst.P     20120314
Fortinet     Android/Agent.BH!tr     20120314
GData     Android.Trojan.FakeInst.P     20120313
Ikarus     Trojan.AndroidOS.FakeInst     20120314
Kaspersky     20120314
McAfee     -     20120308
McAfee-GW-Edition     -     20120314
NOD32     Android/TrojanSMS.Agent.BH     20120314
Symantec     Android.Opfake.B     20120314
TrendMicro     AndroidOS_FAKE.DQ     20120314
TrendMicro-HouseCall     AndroidOS_FAKE.DQ     20120314
VirusBuster     Trojan.AndroidOS.Opfake.C     20120314


  1. 1) Do not trust Symantec's classification. They don't have a clue how to do exact identification. Use my dexid tool.

    2) Many of these samples contain one and the same thing. The classes.dex files inside the APK packages (this is where the code really is) are identical. Again, my dexid tool would have told you so.

    3) At least one of these isn't an OpFake variant at all. It is a FakeSMSInstaller variant. Again, use my dexid tool.

    4) Many of the sites hosting these malwares use server-site polymorphism, so the variants change almost every day.

  2. Ah, OpFake and FakeSMSInstaller is NOT one and the same thing. They are two different families. It's just that one of these samples belongs to the FakeSMSInstaller family and not to the OpFake family. Just use my dexid tool to list the class names of the samples and you'll see that the two families have very different class structures.