Malware authors cash in on Instagram

Malware authors cash in on Instagram

Summary: Sophos has detected a new piece of malware that is attempting to cash in on the recent news that Instagram is now available for Android.

SHARE:

Sophos has detected a new piece of malware that is attempting to cash in on the recent news that Instagram is now available for Android.

The Bestman/Witness from Fryazino
(Screenshot by Michael Lee/ZDNet Australia)

Instagram made its way on to Android earlier this month, and users were made more than aware of the application through Facebook's US$1 billion move to buy the company. However, it appears that malware authors have been attempting to cash in on some of that with Sophos noting that someone has packaged the Android application in a trojan designed to make its authors money by surreptitiously sending SMS messages to premium rate services.

Curiously, the Android package, which Sophos detects as Andr/Boxer-F, contains a number of identical photos of a Russian man. Sophos analyst Graham Cluley writes that it's possible that the reason for the random number of photos is to fool antivirus scanners into not recognising it as malware since the fingerprint of the Android package also changes.

If this sounds familiar, it should. In February this year, Symantec was also perplexed by the presence of a seemingly random number of images of the same Russian man in another piece of malware it detected as Android.Opfake. The findings from its analysis was similar: the trojan sends SMS messages to premium rate services and also attempts to hide itself by changing its fingerprint.

While neither Sophos or Symantec have confirmed that the same author is at work, it seems highly likely given the similarities, or at least that a community of hackers have access to a code or tool that easily allows legitimate Android applications to be repackaged.

ZDNet Australia contacted both companies on the similarities between the two pieces of malware, but did not receive a response at the time of writing.

Fortunately, users that choose to install Instagram directly from Google Play are not affected. Users would only be infected if they downloaded the Android package from a site serving the trojan, circumvented the default option in Android to allow non-Google Play applications, and ignored the permissions presented to them at installation.

As for the mysterious Russian man, it turns out the malware author must have a fondness for memes. Known as the "Bestman/Witness from Fryazino", the man was first spotted as a rather casually dressed man in a Moscow wedding photo. He became somewhat of a Russian internet sensation after netizens took it upon themselves to photoshop him into various photos including Royal Family portraits or album covers of the Ramones.

Topics: Android, Google, Malware, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Fast, beautiful photo sharing for your iPhone ... Snap a picture, choose a filter to transform its look and feel, then post to Instagram.
    Naveena-d8515
  • Hi Dear

    Hi Dear
    my name is Janifer williems, am 23 years old girl,
    How are you today? i hope all is well with you, because it is my great pleasure to contact you today to have communication with you from today, please i will like to have the desire with me so we can get to know each other better and see what will happens in the future.
    I will be very happy if you can write me through my email so that i can send you my pictures(janiferwilliems95@yahoo.com ) to facilitate communication so that we know,i will send you my pictures and details about me, hope to hear from you. waiting for your response and I wish you all the best.Yours new friend Janifer
    jjbaby500