Android.Opfake is malware used to scam mobile device owners into paying a small fee for apps by sending out premium-rate SMS messages from Android devices. It has continued to grow and evolve into a threat that potentially affects a large population of Russian-speaking Android device owners. A quick Internet search will show over a hundred sites, including dedicated sites for popular apps and other sites, pretending to be app market sites with various apps available. There are several variants of Android.Opfake hosted on these sites with different methods to lure victims there initially, and different steps involved in each scam.
We recently came across one variant that carries out its actions in an interesting fashion. The end result makes it so obvious that Android.Opfake is fraudulent because it directs the device owner to Google Play to install the app even though installation had already happened. In this instance, the apps are hosted on dedicated sites as well as fake app markets—typical for Android.Opfake. Here is an example of one of these sites hosting a popular app:
After downloading, installing, and opening the app, an installation appears to run again:
That’s strange, we already installed the app; this installation must be fake.
When the fake installation completes, the device owner is asked to confirm an agreement and continue by clicking a button. Where is this agreement, you may ask? There is actually a link at the bottom of the screen. If read, the agreements states the user will be charged for using the app. It's difficult to notice. You may not even see it:
Let’s press the only button available. We next see a screen that displays a URL and only one button again:
Pressing that button opens the website shown below. There are many apps listed on the page, but we want to take note of the first URL at the top of the page. This is the URL for the app on Google Play that is supposed to be installed already:
Selecting this link does indeed open up Google Play, at least. If you take a close look at the title and the icon of the app on this page, you’ll notice the app we thought was originally installed is absolutely free on Google Play (where we recommend getting it from rather than from an untrusted site):
At this point, it might cross someone's mind that they had just become a victim of a scam or, at least, have a feeling there is something not right here. It’s a bit too late as far as the scam goes because the premium-rate SMS message has already been sent (in the background) during the fake installation.
You should only install apps outside of Google Play from trusted sites. Always check permissions before installation, regardless of where the app is found. If you are not comfortable with some of the permissions requested by the app, do not install it. This particular malware takes advantage of SMS-related permissions, for instance, to perform malicious activities. Games usually should not require such permissions. Finally, protecting your device with a security app such as Symantec’s Norton Mobile Security is also recommended.