This application requires Javascript for optimal performance.

Android/FakeRegSms.A!tr - Released Feb 15, 2012 - Last Updated Feb 16, 2012

Alias/es

FSecure: Trojan:Android/FakeRegSMS.B

Visible Symptoms

The application requires that you send SMS messages to premium numbers so as to be able to download games, themes and utilities related to pornography.

The application name often suggests that it is an installer (see Figure 1):


Figure 1. Notice the "Install" icon

Detailed Analysis

Riskware/FakeRegSms!Android poses as an installer to legitimate applications.

Figures 2 and 3 show screenshots of the license agreement.

Figure 2. Notice the "Rules" button on the right.
Figure 3. License agreement.
The amount of money the user pays to the authors is between 15 and 400 rubles (between 0,38 and 10 euros). In the end, no real application is installed after the victim has paid.



Technical Details


Riskware/FakeRegSms!Android has the particularity of hiding information inside a PNG image included in its ressource files. This technique of hiding information in an image file is called stenography.


Figure 4. PNG file with the tEXt chunk.

Encoded data is embedded in the tEXt chunk of the PNG file. The application decodes it using a XOR bitwise operation. The decoded data contains:
  • costLimit: 150
  • costLimitPeriod: 8640
  • smsData: l5872600885697126387416947526760l
  • smsDelay: 15
SMS messages are send to the following short code: 
+ Short code    + Content +
| 5111          | 420 10048 l5872600885697126387416947526760l0100|

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 3570385