A batch of malicious apps crept into the legitimate Android App Market over the weekend. Despite some telltale signs they were fake, the apps managed to exploit those who made the mistake of downloading them.
Using the name "Logastrod," the developer offered several popular apps including "Angry Birds," "Cut the Rope," "Shoot the Birds" and "Assassin's Creed Revelations," many of which were available for free, according to DroidGamers.
Behind their innocent facade, the cloned apps hid a secret weapon — they compromised customers' smartphones by using them to send premium-rate text messages to the tune of about $20. "The texts are notifications that the user has been charged around $5, but you end up getting 3-4 of them in one shot," DroidGamers wrote. "A free download just became a $20 purchase."
"Premium rate" text-message services are similar to the old "976" numbers that plagued North American telephone users in the 1990s, racking up huge charges for short calls. But the premium text services are rare in the United States, where there's a 30-day lag time between a message being sent and the subsequent bill collection. In Russia and some other European countries, however, the services are easy to set up, and the billing turnaround time is much shorter, offering a huge opportunity for low-level thieves.
[Android's Skyrocketing Malware Woes Will Only Get Worse, Experts Say]
Logastrod's page in the Android App Market was taken down, but this morning (Dec. 12) Mikko Hypponen from the security firm F-Secure found them under another name, "Miriada Production." (Miriada Production's page has since been taken down.)
"There could be several such accounts in the Android Market, turning Google's security efforts into a game of "Whack-a-Mole," Hypponen wrote.
Glaring errors in these cloned apps, captured in a screenshot, highlight the already widely publicized weaknesses in the Android platform.
The screenshot shows the same logo used for both "Cut the Rope," "Assassin's Creed Revelations" and "Where's My Water?" while "World of Goo" and "Need for Speed" also share a logo. A discussion thread on Reddit explained that the apps, many of which have a four or five-star rating, are nearly identical in size, around 56 kilobytes. A real app for a graphics-heavy game like "Assassin's Creed," would be several megabytes.
Simply by getting his phony apps into the official market, Logastrod shined a light on inherent flaws in Android's open-source model, which puts the onus on the developers to ensure their apps are safe, as opposed to Apple, which thoroughly vets all apps before they make it to the iTunes store. Before you download any Android app, read the user ratings and reviews and check to see if you're comfortable with the permissions it requests. If an app looks suspicious or has received questionable reviews, stay away from it.