We've been seeing cases of malware that first debuted on other operating systems being ported over to Android. Here's another trojan that fits the bill.
OpFake was first found on Symbian and Windows Mobile. In its latest incarnation on Android, the trojan (still) appears to be an Opera Mini app… whose only permission request is to send SMS messages:
Turns out the app (we detect it as Trojan:Android/OpFake.D) sends the messages on launch:
In previous cases, we usually saw these SMS messages hard-coded into the classes; this time, the message contents and telephone numbers are stored in a "config.xml" file and are encoded. Here's the garbled code:
The string becomes readable when decoded using base64 decoding, showing the SMS messages sent by the app on execution:
