Android Apps Get Hit with the Evil Twin Routine: Part 1

When pop icon Björk, in an interview with the press, invited hackers and pirates to adapt her app from iOS to other platforms, it seems that some people who rose to the call had a hidden agenda in mind: to distribute malware. The evil twin routine, where an author creates a malicious doppelganger or pirated version of a popular app, seems to be the in vogue scam of late when it comes to malware for Android.

Last week, authors in Eastern Europe were targeting the Instagram and Angry Birds fanbase with a fake apps (detected by Symantec as Android.Opfake) which resulted in premium SMS text charges. The authors even went to the extent of creating a dummy site to make the scam appear more authentic. This week, Symantec has identified another social engineering scam which attempts to get people to download malware from third-party Android sites by passing itself off as part of the popular Biophilla app.

The app itself comes in two parts: the front-end, which has the ability to stream songs, and a background service with the name ‘Market’. Upon examination of the background service (designed to activate every time the phone starts) it appears to belong to the Android.Golddream family of threats. The authors of this family of threats are known to target third-party apps with malicious versions of popular apps, drawing revenue from premium SMS scams.

In Part 2, I will take a closer look at the inner workings of this Trojan and steps users can take to avoid running into the evil twin routine by looking for a few simple things to help spot fake apps online.