NEWS FROM THE LAB - Tuesday, January 31, 2012

Trojan:Android/OpFake.D Still Encodes Its Config File Posted by ThreatSolutions @ 07:28 GMT

We've been seeing cases of malware that first debuted on other operating systems being ported over to Android. Here's another trojan that fits the bill.

OpFake was first found on Symbian and Windows Mobile. In its latest incarnation on Android, the trojan (still) appears to be an Opera Mini app… whose only permission request is to send SMS messages:

Android OpFake, permission

Turns out the app (we detect it as Trojan:Android/OpFake.D) sends the messages on launch:

Android OpFake, SMS

In previous cases, we usually saw these SMS messages hard-coded into the classes; this time, the message contents and telephone numbers are stored in a "config.xml" file and are encoded. Here's the garbled code:

Android OpFake, garbled code

The string becomes readable when decoded using base64 decoding, showing the SMS messages sent by the app on execution:

Android OpFake, decoded code /><br /><br />This Android version (SHA1: 4b4af6d0dfb797f66edd9a8c532dc59e66777072) simply continues the OpFake
ThreatSolutions post by — Irene