Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Android.Opfake.B Continues Evolving – Adopts Bot Tactics

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Taking advantage of Android’s permission system, Android.Opfake.B, disguised as an innocent app, is malware that “smuggles” its way aboard the Android operating system via an APK (application package file), the file format used to distribute and install application software and middleware onto Google’s Android operating system. To evade detection once it’s loaded, Android.Opfake.B becomes polymorphic, changing the names of the applications it pretends to be and creating countless domains to host its malicious files.

Receiving commands from a remote C&C (Command and Control) server, Android.Opfake.B carries out various functions. It’s safe to say none of them do anybody any good except for the cybercrooks who tricked the Droid user into downloading the malware.

Old variants of Android.Opfake simply asked for permission (see following example) to send SMS messages at premium (rip-off?) SMS rates.

Now, the developers appear to be making a major upgrade in sophistication – and nastiness. The latest version of the malware wants permission to read contact data, modify and delete content on the SD card, and automatically start at boot — among other things (see following example).

Android.Opfake.B not only sends premium SMS messages, says Symantec’s Joji Hamada, “it posts the phone number of the compromised device on to a predetermined server, notifying the attacker of the infection. There is also a back door running in the background, waiting for commands through SMS. When a message containing a certain string is received, the malware reads it as a command from the attacker and, depending on the instructions, performs the following actions:

• Sends details such as the IMEI, IMSI, or any received SMS messages

• Sends SMS messages

• Configures the URL that communicates with the server

• Updates or removes rules used by the malware to process the SMS messages received

• Issues HTTP GET requests

• Exfiltrates the contact list on the device

• Downloads .apk files and stores them on the SD card

The malware is keeping itself alive by running in the background and automatically starts if the device is rebooted. There is also code that attempts to install downloaded .apk files, which could be updates of the malware. However, it lacks the permission to do so in the current version.”

By the time it’s through with the user, Android.Opfake.B has turned his/her Droid into a bot. Turned an Android into a robot. Hard not to comment on the irony in the language. But, we won’t.


Andreas Baumhof, chief technology officer, ThreatMetrix, points out that “fake” security software requesting user permission to load often looks more “authentic” than the real thing. (See following examples of genuine software.)

There are lots of other questions about Android’s permission system, such as “Does it really work?” But, we’ve run out of electrons for now, so they’ll have to wait for a future blog.

By ThreatMetrix Posted