{"id":49341,"date":"2016-04-29T12:17:37","date_gmt":"2016-04-29T19:17:37","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=49341"},"modified":"2025-06-01T23:11:46","modified_gmt":"2025-06-02T06:11:46","slug":"fake-android-update-delivers-sms-click-fraud-europe","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fake-android-update-delivers-sms-click-fraud-europe\/","title":{"rendered":"Fake Android Update Delivers SMS, Click Fraud in Europe"},"content":{"rendered":"

McAfee Mobile Research has been monitoring a mobile malware campaign targeting users in Germany, France, and Russia since the beginning of the year. Several users have complained in forums and social networks about a suspicious file with the name Android_Update_6.apk being automatically downloaded when a website is loaded.
\nRecently a user tweeted that one of the advertisers in a widely read German-language news website \u201cpushed\u201d this file when the user navigated the website:<\/p>\n

User reporting the download of the file Android_Update_6.apk.<\/em>
\n Source: https:\/\/twitter.com\/arminhausf\/<\/em><\/p>\n

A month ago, another user reported the same behavior but on a French daily newspaper website and the filename in French:<\/p>\n

User reporting the download of the file mise_\u00e0_jour_Android_6.apk on a French newspaper’s website.<\/em>
\n Source: https:\/\/twitter.com\/Baptouuuu\/<\/a><\/em><\/p>\n

On\u00a0January 29, another user reported the same incident but this time the report went to what appears to be the source of the download:<\/p>\n

User reporting the download of the file Android_Update_6.apk.<\/em>
\n Source: https:\/\/twitter.com\/Baptouuuu\/status\/708391947937914880 <\/a><\/em><\/p>\n

Finally, in one of the earliest reports of this campaign, on January 7 another user reported on the website AndroidPolice the download of the suspicious file when visiting the mobile version from Russia:<\/p>\n

User reporting the download of the file Android_Update_6.apk on the website AndroidPolice.<\/em>
\n Source: https:\/\/github.com\/archon810\/androidpolice\/issues\/69 <\/em><\/p>\n

According to that report, the malicious ad loaded a URL pointing to an APK like the following, triggering the automatic download of the file by the default web browser:<\/p>\n

Android_Update_6.apk available on a remote server since April 20.<\/em><\/p>\n

The question that most users asked in forums when they received this suspicious file was: Is this APK file a legitimate Android update? The answer is absolutely not. Each manufacturer and carrier has its own method of delivering and installing Android updates but, so far, none of them has as a distribution method of an automatic download of an APK file when the user visits a random website. This behavior is most likely related to a malicious application, so we took\u00a0a deeper look at the app to find out its purpose and understand its\u00a0impact.<\/p>\n

Once the app is installed, the following icon appears in the home screen:<\/p>\n

The malware’s icon.<\/em><\/p>\n

However, as soon as the user executes the app, the icon disappears, tricking the user into believing that the app is no longer on the system. Meanwhile, in the background, the malware sends encrypted data to a remote server in Estonia:<\/p>\n

Encrypted traffic sent to a remote server in Estonia.<\/em><\/p>\n

Some variants of the malware were packed and, even after we\u00a0unpacked of the payload, the code was very obfuscated. After some static and dynamic analysis we were able to learn that all the communication between the infected device and the control server is encrypted using an RSA asymmetric encryption algorithm:<\/p>\n

Malware generating a private key using an RSA specification.<\/em><\/p>\n

Here is the device information that was constantly sent by the malware to the remote control server:<\/p>\n