Yesterday, we stumbled across this ad from an Android-related site:



Clicking this led to a malicious Android Market. Note that this isn't the official Android Market, but a fraudulent site designed to look something like the real thing.



Samples found here are detected as Trojan:Android/FakeNotify.A.

As usual, other malicious sites are hosted on the same IP address as the malicious Android Market. One site that came to our attention claimed to unlock hidden features of the phone. This same site was also found to be promoted in Russian forums.

Upon visiting the site, it indicates that it is a "Phone Optimizer":



The text above mentions that mobile phone manufacturers are known to hide phone functionalities in order to earn money. The idea is that the manufacturers would then earn money through an OS update that unlocks the hidden features. This site claims to check your phone for such hidden features and unlock them.

Here's an example of the scan result, and its English translation:



The phone model was correctly identified by checking the User Agent. The download link leads to a malicious file that sends premium SMS to a number based on the country location.

The malicious page does not only target Android devices. If accessed using an Android phone, it issues a file called optimizer.apk; otherwise, it downloads the file optimizer.jar.

We detect this malware as Trojan:Android/FakeNotify.A (the APK), and Trojan:Java/FakeNotify.C (the JAR).

Our Browsing Protection for Mobile is able to block the malicious links identified in this blogpost:



Incidentally, for our readers: If you guys come upon suspicious mobile samples, please feel free to send them to us for analysis at: android-labs[at]f-secure[dot]com. Please include the keyword "Sample" in the e-mail's subject line.

Threat Insight post by — Raulf and Karmina (Also, thanks to Dima for his Russian contribution and English translation.)