Riskware/FakeInst!Android
Analysis
Riskware/FakeInst!Android is a Potentially Unwanted Application. It is usually downloaded from a third party repository, and poses as an installer to a legitimate application.
When the victim browses on such repositories and wishes to download a given application, he/she pushes the "Download" button. An application is downloaded but it is not the targeted application, but just a pre-downloader for that application that system administrators may wish to detect.
That pre-downloader application is detected as Riskware/FakeInst!Android, and it actually requires the end-user to send a given amount of SMS messages to given numbers.
Figures 3 and 4 show typical screenshots of Riskware/FakeInst!Android.
Figure 3. Pre-downloader for calendroid pro application |
Figure 4. Pre-downloader for the Gears application |
Sending SMS messages to those short numbers is charged to the victim, so that, in the end, the victim actually pays for the legitimate application it wishes to download.
The main method with this scheme is that the victim may not fully understand how much it is actually paying for the application. Checking the rates for given short codes is possible, but not immediate. The riskware states for instance the end-user can check the rates on www.mobi911.ru (see Figure 5).
Figure 5. Rules for the riskware.
Technical Details
SMS messages are typically send to the following short codes:
+ MCC + Short code + Content + | 250 | 7781 | 155744+0+1+p+a+2 | | 400 | 3304 | 7665240+0+1+p+a+2 | | 257 | 3336 | 7665240+0+1+p+a+2 | | 255 | 3838 | 673811+0+1+p+a+2 | | | 5373 | 673811+0+1+p+a+2 | ...This list is not exhaustive.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |