Not even a month after its launch, "Angry Birds: Star Wars" already has an evil twin.
Almost every popular mobile app has a mischevious doppelganger. Criminals use identical-looking malicious apps to obtain identifiable information, to commit fraud and wreak havoc on users' devices.
This mobile Trojan robs Android users by clandestinely sending text messages to a premium service, GFI Labs discovered. Victims may not discover they've been hit until an exorbitant phone bill arrives. Users of Apple's iOS platform are not affected.
Strangely enough, after the malware slaps victims on one cheek, it kisses them on the other by installing a legitimate version of the game after texting their bank account into oblivion. [ The Top 10 Threats To Your Smartphone ]
GFI Software senior threat researcher Chris Boyd told TechNews Daily that the gesture is simply to deter victims from complaining.
"They go off happily" with their apps, Boyd said, "but you also have all this other stuff along for the ride."
Boyd said even though the thieves rob you via your phone bill, tracking down who's actually responsible is probably more trouble than it's worth.
"A lot of these are quite popular in Russia," Boyd said of the scams. "People can register with these services far and wide," with fake details and with domains and URLs from countries other than their own.
"Even if you could get the information on which network is being used," Boyd said, "the registration might be completely fictitious."
Android users, even security-minded ones, should never download apps from anywhere but the Google Play store, Boyd said.
"You just don't know what you're going to end up with," he said.
Even then, users should still be wary. Malicious apps have been found in the official Google Play store in the past.
Victims of scams like these most often stumble when they're trying to get something that costs money for free. In this case, users have to visit a Russian website, download the bogus "Angry Birds: Star Wars" files to a computer and then transfer them to their phone via USB. That's a lot of work to do on behalf of your attacker.
Users who must download third-party apps can protect themselves and their phones by employing mobile anti-virus software and by plugging unauthorized files into a virus-scanning program or Web service before installing it onto their phone.
"I would be very, very cautious about downloading random files," Boyd said. "[If it comes from] a Russian domain or Chinese URL, especially if it's based around a hot new property ... you're probably going to get into trouble."
Follow Ben on Twitter.