Android/OpFake.A!tr.dial

Analysis

Android/OpFake.A!tr.dial poses as an installer or an activator for the Opera Mini browser. To get the browser, the victim must agree with 'loading rules'. Those rules basically state that this is going to cost a given amount of rubles to the victim.
If the victim clicks "next", a SMS message is sent to a premium phone number, and will be charged to his/her bill.
Once this is done, the malware congratulates the end-user:

Congratulations! The activation is successful. 
Soon you will receive a SMS with a link to download

Such samples are considered as malicious because

• the Opera Mini browser is free and there is usually absolutely no reason to have the victim pay to get it.
• the terms/rules are very short
• there is no guarantee the end-user gets a valid link in return

The malware is usually in Russian.

Technical Details

The code of the malware is quite small. When launched, it displays a window (in Russian) with the loading terms for the Opera Mini browser. It retrieves the phone's operator and country code. It loads various parameterts from an asset named 'params' and reads from that file:

• XMeg: the price to get the download link.
• XNumbers: the short code number to send SMS to.
• XMid: the midlet;s ID
• app_name: the name of the application to download.
• XFlow: unknown flag.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.