Riskware/FakeInst!Android

description-logoAnalysis

Riskware/FakeInst!Android is a Potentially Unwanted Application. It is usually downloaded from a third party repository, and poses as an installer to a legitimate application.
When the victim browses on such repositories and wishes to download a given application, he/she pushes the "Download" button. An application is downloaded but it is not the targeted application, but just a pre-downloader for that application that system administrators may wish to detect.
That pre-downloader application is detected as Riskware/FakeInst!Android, and it actually requires the end-user to send a given amount of SMS messages to given numbers. Figures 3 and 4 show typical screenshots of Riskware/FakeInst!Android.


Figure 3. Pre-downloader for calendroid pro application

Figure 4. Pre-downloader for the Gears application
The amount of SMS messages to send, the short codes the SMS messages are sent to and their content depend on the country the victim lives in (more exactly, it depends on the MCC - Mobile Country Code - which is specified in his/her SIM card).
Sending SMS messages to those short numbers is charged to the victim, so that, in the end, the victim actually pays for the legitimate application it wishes to download.
The main method with this scheme is that the victim may not fully understand how much it is actually paying for the application. Checking the rates for given short codes is possible, but not immediate. The riskware states for instance the end-user can check the rates on www.mobi911.ru (see Figure 5).

Figure 5. Rules for the riskware.


Technical Details


SMS messages are typically send to the following short codes:
+ MCC 	   + Short code	+ Content +
| 250	   | 7781  	| 155744+0+1+p+a+2	|
| 400	   | 3304	| 7665240+0+1+p+a+2	|
| 257	   | 3336	| 7665240+0+1+p+a+2	|
| 255 	   | 3838	| 673811+0+1+p+a+2	|
|  	   | 5373	| 673811+0+1+p+a+2	|
...
This list is not exhaustive.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2021-05-28 86.00505
2020-11-29 82.19900