러시아 Kaspersky Lab 에서 안드로이드용 악성코드인 FakePlayer 변종을 발견 보고하였습니다.
해당 악성 파일은 러시아의 특정 성인 사이트에서 배포되고 있는 것으로 추정됩니다.
특히 이번 녀석은 음란한 사진을 아이콘으로 쓰고 있어 일부 모자이크 처리를 하였습니다.
nProtect Mobile for ANDROID 제품에서는 SD카드에 해당 악성파일을 가지고 있을 경우 업데이트를 하지 않아도 기존 Trojan-SMS/Android.Fakeplayer.A 패턴으로 변종 탐지가 가능합니다.
설치 후 치료 기능은 추가될 예정입니다.
Trojan-SMS.AndroidOS.FakePlayer.b
2010년 9월 9일에 업데이트가 된 것으로 파악되었습니다.
http://www.securelist.com/en/blog/2286/Android_SMS_Trojan_Now_Being_Delivered_via_SEO_Techniques
During the course of researching the origin for the first SMS Trojan for Android devices, I found a new Android package masquerading as a porn media player but which instead sends SMS messages to premium rate numbers.
The SMS messages cost $6 each and are sent silently in the background without the user's knowledge.
The latest Android malware (detected as Trojan-SMS.AndroidOS.FakePlayer.b) is being distributed via clever search engine optimization (SEO) techniques, a clear sign that cyber-criminals are making every effort to infect mobile devices. The use of SEO is a significant development that confirms our belief that mobile malware - especially on Android devices - is a potentially lucrative business for malicious hackers.
The code in the latest variant is similar to the first version and I'm pretty sure the same person (or group) is involved in creating and distributing this Trojan. It is currently targeting Android users in Russia.
The fake porn player does not have a user interface. Once installed, it simply drops an icon (an adult-themed photograph) on the smart phone's screen and starts sending premium SMS messages without the user's knowledge whenever the app is launched.
The malware is not available in the official Android app store. It is being distributed via Web sites but, with the search engine optimization techniques being used, there is a likelihood this is infecting a lot of users.
Like all Android apps, the user is prompted to manually install and allow the application to access certain parts of the operating system. This should serve as an immediate warning, especially since media players should not require access and permission to send SMS messages.
As I said in my previous blog entry on this topic, Android users should pay close attention to the services an application requests to access. Automatically permitting a new application to access every service it requests means you could end up with malicious or unwanted applications doing all sorts of things without requesting any additional confirmation. And you won’t know anything about it.
http://www.virustotal.com/file-scan/report.html?id=c6adcd2caaf8a8bd898c8bb8e4923fe7f439e1f984498e94b79a07d03a468d7d-1284004757
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AhnLab-V3 | 2010.09.09.00 | 2010.09.09 | - |
| AntiVir | 8.2.4.50 | 2010.09.08 | - |
| Antiy-AVL | 2.0.3.7 | 2010.09.09 | - |
| Authentium | 5.2.0.5 | 2010.09.08 | - |
| Avast | 4.8.1351.0 | 2010.09.08 | - |
| Avast5 | 5.0.594.0 | 2010.09.08 | - |
| AVG | 9.0.0.851 | 2010.09.08 | - |
| BitDefender | 7.2 | 2010.09.09 | - |
| CAT-QuickHeal | 11.00 | 2010.09.09 | - |
| ClamAV | 0.96.2.0-git | 2010.09.09 | - |
| Comodo | 6020 | 2010.09.09 | - |
| DrWeb | 5.0.2.03300 | 2010.09.09 | Android.SmsSend.2 |
| Emsisoft | 5.0.0.37 | 2010.09.09 | - |
| eSafe | 7.0.17.0 | 2010.09.07 | - |
| eTrust-Vet | 36.1.7843 | 2010.09.08 | - |
| F-Prot | 4.6.1.107 | 2010.09.01 | - |
| F-Secure | 9.0.15370.0 | 2010.09.09 | - |
| Fortinet | 4.1.143.0 | 2010.09.08 | - |
| GData | 21 | 2010.09.09 | - |
| Ikarus | T3.1.1.88.0 | 2010.09.09 | - |
| Jiangmin | 13.0.900 | 2010.09.08 | - |
| K7AntiVirus | 9.63.2470 | 2010.09.08 | - |
| Kaspersky | 7.0.0.125 | 2010.09.09 | Trojan-SMS.AndroidOS.FakePlayer.b |
| McAfee | 5.400.0.1158 | 2010.09.09 | - |
| McAfee-GW-Edition | 2010.1B | 2010.09.09 | - |
| Microsoft | 1.6103 | 2010.09.09 | - |
| NOD32 | 5435 | 2010.09.08 | - |
| Norman | 6.06.05 | 2010.09.08 | - |
| nProtect | 2010-09-09.01 | 2010.09.09 | - |
| Panda | 10.0.2.7 | 2010.09.08 | - |
| PCTools | 7.0.3.5 | 2010.09.09 | - |
| Prevx | 3.0 | 2010.09.09 | - |
| Rising | 22.64.02.04 | 2010.09.08 | - |
| Sophos | 4.57.0 | 2010.09.09 | - |
| Sunbelt | 6850 | 2010.09.09 | - |
| SUPERAntiSpyware | 4.40.0.1006 | 2010.09.09 | - |
| Symantec | 20101.1.1.7 | 2010.09.09 | - |
| TheHacker | 6.7.0.0.012 | 2010.09.09 | - |
| TrendMicro | 9.120.0.1004 | 2010.09.09 | - |
| TrendMicro-HouseCall | 9.120.0.1004 | 2010.09.09 | - |
| VBA32 | 3.12.14.0 | 2010.09.08 | - |
| ViRobot | 2010.9.8.4031 | 2010.09.09 | - |
| VirusBuster | 12.64.24.0 | 2010.09.08 | - |
