This malware uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it disguises as a mobile web browser Opera Mini. Once the user agreed with the services of the fake browser, it sends text messages to premium numbers.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.
It bears the file icons of certain applications to avoid easy detection and consequent removal.
File size: Varies
File type: DEX
Initial samples received date: 29 Sep 2011
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
It may be manually installed by a user.
Installation
This Trojan bears the file icons of the following applications:
NOTES:
This application disguises itself as the mobile web browser, Opera Mini.
Upon execution, it displays the following message:
The text translates as:
- Title: Initialization
- Body: Confirm agreement with the rules of loading Opera Mini. To continue downloading, click Next.
- Button Правила: Rules
- Button Далее: Next
When the user clicks the button Правила (Rules), the following interface is displayed:
The text in the rules describe the prices of using the services of the fake browser. Payment is made by sending text messages to premium numbers in Kazakhstan, Russia, Ukraine, Latvia, Lithuania, or Estonia.
The buttons translate to (from left to right) Back and Next. Clicking the left button (Back) will bring the user back to the first screen.
When the user clicks the button Далее (Next) in either the first or second interface, it sends the text {prefix} 1oZpW none android {suffix} to a number via SMS. {prefix}, {suffix} and the number can be any of the following:
| {prefix} | {suffix} | Number |
| 7539 | . | 69991 |
| 7539 | . | 4545 |
| 79fgh | . | 7061 |
| 79fgh | . | 1060 |
| 79fgh | . | 4909 |
| 7539 | . | 55886 |
| 7539 | . | 4157 |
| 7539 | . | 4156 |
| 7539 | . | 4153 |
| 7539 | . | 5339 |
| 7539 | . | 2322 |
| 4722 | . | 2855 |
| 4722 | . | 9151 |
| 4722 | . | 7151 |
| 7539 | . | 1874 |
| 7539 | . | 1873 |
| 7539 | . | 1872 |
| 7539 | . | 81185 |
| 7539 | . | 81015 |
| 7830 | . | 9683 |
| 7830 | . | 9685 |
| 7539 | . | 19998866 |
| 7539 | . | 69067 |
| 7539 | . | 1945 |
| 40416 | . | 3302 |
| 40416 | . | 3303 |
| 40416 | . | 9818 |
| 40416 | . | 3302 |
| 40416 | . | 3303 |
| ce277 | . | 8161 |
| ce277 | . | 4449 |
| ce277 | . | 4446 |
| 7539 | . | 930399999 |
| 7539 | . | 17013 |
| 7539 | . | 17012 |
| 7539 | . | 17011 |
| 7539 | . | 1098 |
| 7539 | . | 57575 |
| 7539 | . | 90645045 |
| 7539 | . | 7910 |
| 7539 | . | 9090150 |
| 7539 | . | 9090199 |
| 7539 | . | 5040 |
| 40416 | . | 3339 |
| 40416 | . | 3336 |
| 7539 | . | 1645 |
| 7539 | . | 1635 |
| 7539 | . | 1391 |
| 7539 | . | 72170 |
| 7539 | . | 80888 |
| 7539 | . | 7796 |
| ce277 | . | 4107 |
| ce277 | . | 4106 |
After sending SMS messages, it displays the following:
- Title: Completion
- Body: Activation was successful. You will receive an SMS message with the link to Opera Mini, which will be available after rebooting. If the message does not arrive, you can download Opera Mini at http://{BLOCKED}y.ru/get/1oZpW, or click Next to automatically reboot.
- Button Выход: Exit
- Button Открыть: Open
Clicking the button Открыть (Open), the user is directed to the URL http://{BLOCKED}y.ru/get/1oZpW
Connect with us on
| | | |