Server-side Polymorphic Android Applications

For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites. We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software.

The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family.

Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files.

In one case, when we compare the file CRCs of two downloads, we can see that the only meaningful change happens in “res/raw/data.db”. The other changed files in META-INF contain signature data for the package so that they are just reflecting the fact that the res/raw/data.db has been modified.

File CRC Filename
9dc48f61 074c54b5 META-INF/MANIFEST.MF
b1377893 42ecb534 META-INF/ALARM.SF
248c37f7 65105b65 META-INF/ALARM.RSA
40659b25 40659b25 AndroidManifest.xml
bbd88c2d bbd88c2d resources.arsc
7a3498c4 7a3498c4 classes.dex
6129f361 9e488e9e res/raw/data.db
27bc873d 27bc873d res/drawable-hdpi/logo.png
27bc873d 27bc873d res/drawable-ldpi/logo.png
27bc873d 27bc873d res/drawable-mdpi/logo.png
fa11bed8 fa11bed8 res/drawable-hdpi/icon.png
fa11bed8 fa11bed8 res/drawable-ldpi/icon.png
fa11bed8 fa11bed8 res/drawable-mdpi/icon.png

This means that they share exactly the same code (stored in classes.dex), but that the data is variable. Examining the code, we see that res/raw/data.db contains a database of network operators with a list of premium numbers and messages that are to be sent if the user is tricked into running this malware. The content of those SMS messages is changed with every download, thereby producing unique files.

In another case of OpFake, the polymorphism was achieved using a different technique. We noticed that there were APKs where all of the code and data files were identical and just the manifest and signature files were different:

CRC Filename
02568138 AndroidManifest.xml
5539013f classes.dex
c9805df6 res/drawable-hdpi/icon.png
c9805df6 res/drawable-mdpi/icon.png
c9805df6 res/drawable-ldpi/icon.png
1d66a094 res/layout/offert.xml
b93210cd res/layout/grant_access_to_content.xml
169b2a86 res/layout/main.xml
30fe74be res/raw/activation_schemes.cfg
aca144d2 res/drawable/progress_finished.xml
3367b765 res/xml/countries.xml
f3087726 resources.arsc
88a24ad9 0.temp
88a24ad9 1.temp
88a24ad9 2.temp

Here the polymorphism is achieved by simply re-ordering the code and data files within the application package. When the package is created, the differences in file ordering will cause different manifest and signature files to be created.

Finally, the packages also included dummy .temp files. We have seen upwards of forty of these dummy files in a single package. However, the number of dummy .temp files may change with each download providing even more permutations each time the application is downloaded. Interestingly, the .temp files do not seem to be used by the threat in any way and they all contain this mysterious picture:

Once the packages are downloaded and installed on the phone, SMS messages are automatically sent and the browser opens certain websites that are hosting further malware and/or the actual legitimate Android applications. Below are some examples of the fraudulent sites that are participating in the distribution of the malware:

While all of the distribution sites that have thus far been discovered are in Russian, the packages have the ability to send SMS messages not just in Russia, but also in other countries across Europe as well as countries like Australia and Taiwan. The following countries are affected by this threat:

Czech Republic
United Kingdom

Though server-side polymorphism is used here, Symantec’s Norton Mobile Security protects customers against the automatically generated variants. We also block access to the websites hosting the Android package with Web Protection. We always advise people to download applications from sources they trust and also to be cautious about what permissions you are giving the applications. For example, Android.Opfake will always request the capability to send SMS messages as can be seen below.


Update February 2, 2012:

The "unidentified" individual in the mysterious picture has been identified as Свидетель из Фрязино. Thanks to Sean Sullivan of F-Secure for the information. The man is known for being digitally manipulated into various photographs.