Wednesday, April 18, 2012

Fake Instagram - Fake App Tall Fraud - Android Malware

File:       Fake Instagram
Sample Credits:   with many thanks to Tim Strazzere, April 18, 2012
The Continuing Saga of Fake App Toll Fraud  - Lookout

Download  - password infected

SHA256:     6963cfadf84a6ba2c7a13c8795f97e7784223352513b980f1ac839891ba35d46
SHA1:     b62bbcbcaa9860751853f86072e98f91d28edd65
MD5:     3d36d85f28526e2fc048df17440957a0
File size:     861.0 KB ( 881673 bytes )
File name:     instagram.apk
File type:     JAR
Detection ratio:     5 / 42
Avast     Android:FakeInst-AB [Trj]     20120419
DrWeb     Android.SmsSend.388.origin     20120419
GData     Android:FakeInst-AB     20120419
Kaspersky     HEUR:Trojan-SMS.AndroidOS.FakeInst.a     20120419


  1. Sigh...

    1) The file type is not "JAR". It's an APK file.

    2) This is just yet another FakeSMSInstaller variant, as my dexid tool would have told you. The Lookout guys simply refuse to realize (despite me telling them several times) that this thing uses server-side polymorphism. New variants appear practically every workday.

  2. Oh, yes, and yet another thing. The link to the Lookout blog describes a completely different malware (which also uses server-side polymorphism, BTW) - OpFake.

  3. Ah yes - an apk is a jar - but thats another matter. The lookout blog describes a strain of similar families which are all affiliates of the same network.

    Btw -- "server side polymorphism" is probably the shittiest term I've ever heard. They just generate a new one every day.

    Why don't you go back to macro viruses and try to catch the dark avenger vess? You are the internets original troll.