Malware authors cash in on Instagram

Sophos has detected a new piece of malware that is attempting to cash in on the recent news that Instagram is now available for Android.

Sophos has detected a new piece of malware that is attempting to cash in on the recent news that Instagram is now available for Android.

The Bestman/Witness from Fryazino
(Screenshot by Michael Lee/ZDNet Australia)

Instagram made its way on to Android earlier this month, and users were made more than aware of the application through Facebook's US$1 billion move to buy the company. However, it appears that malware authors have been attempting to cash in on some of that with Sophos noting that someone has packaged the Android application in a trojan designed to make its authors money by surreptitiously sending SMS messages to premium rate services.

Curiously, the Android package, which Sophos detects as Andr/Boxer-F, contains a number of identical photos of a Russian man. Sophos analyst Graham Cluley writes that it's possible that the reason for the random number of photos is to fool antivirus scanners into not recognising it as malware since the fingerprint of the Android package also changes.

If this sounds familiar, it should. In February this year, Symantec was also perplexed by the presence of a seemingly random number of images of the same Russian man in another piece of malware it detected as Android.Opfake. The findings from its analysis was similar: the trojan sends SMS messages to premium rate services and also attempts to hide itself by changing its fingerprint.

While neither Sophos or Symantec have confirmed that the same author is at work, it seems highly likely given the similarities, or at least that a community of hackers have access to a code or tool that easily allows legitimate Android applications to be repackaged.

ZDNet Australia contacted both companies on the similarities between the two pieces of malware, but did not receive a response at the time of writing.

Fortunately, users that choose to install Instagram directly from Google Play are not affected. Users would only be infected if they downloaded the Android package from a site serving the trojan, circumvented the default option in Android to allow non-Google Play applications, and ignored the permissions presented to them at installation.

As for the mysterious Russian man, it turns out the malware author must have a fondness for memes. Known as the "Bestman/Witness from Fryazino", the man was first spotted as a rather casually dressed man in a Moscow wedding photo. He became somewhat of a Russian internet sensation after netizens took it upon themselves to photoshop him into various photos including Royal Family portraits or album covers of the Ramones.