The First Android Trojan … -ish

Posted on August 10, 2010 by Anders K. Madsen

Danish newspaper Politiken is running a ritzau piece on what’s been dubbed “The First Android Trojan” [da] in its online version. Now, according to this little article Kaspersky Lab has identified a trojan that poses as a media player and then automatically sends out text messages to a specific number at ridiculous charges. The article doesn’t get more specific than that, so I thought Slashdot might know something more. Slashdot weren’t any more specific than ritzau (which makes sense, since ritzau probably ripped the news from Slashdot in the first place) and they just link to an article on ITWire which is exactly as vague and unspecific as all the other articles.

Fortunately the users of Slashdot had pretty much the same questions as I did. Mainly “What’s the name of the app? (We want to know, so we can avoid it.)” and “How does it sneak in past Android’s warning system?

Well, it turns out that the name of the app is not something that figures anywhere — neither in the Kaspersky announcement or in the more specific ReadWriteWeb article. According to the latter the app is not even in the Android Market, and — funniest of all — the trojan only works if you’re on a Russian carrier! So basically, here’s what you have to accidentally do to install this “trojan”:

  1. Figure out the name, because Kaspersky seems to not want to tell us.
  2. Find the downloadable .apk package somewhere on the web and download it.
  3. Configure your phone to allow installation of non-market/untrusted apps.
  4. Install the app and ignore the part of the installation process, where the phone actually warns you that this app requires access to services that cost you money. Which is even further specified as: Send SMS messages. Granted, it doesn’t specify if the app will actually make use of it, but it should seem odd to anyone why a media player would need to send out text messages.
  5. Move to Russia. (Unless you already live there, in which case you can happily skip this last step.)

So let us draw a parallel to the actual story that spawned the use of the term “trojan” in this modern context. You know, just to put things in perspective. (Bah! Who am I kidding, I just love a ridiculous analogy.)

The Greeks built this huge wooden horse and loaded up 30 men in it because after 10 years of siege of Troy they still couldn’t pwn those Trojan n00bs. Then they put this huge wooden horse somewhere in the woods outside of Troy, but not anywhere obvious because that would be too easy, and the Trojans wouldn’t find it until a couple of years later when some Trojan emo kid and his emo girl friend were hiding in the woods crying and writing poems. Now the Trojans were all pumped up because of this loot and started hauling it back to Troy and someone noticed a sign on the horse saying, “There are some Greek soldiers inside this horse. Maybe they have weapons. And maybe they intend to use them. But who knows? GL HF!” “Fuck it!”, the Trojans said and brought the horse back to town only to get completely Zergling rushed by the Greek soldiers inside who were apparently still in great shape after 2 years inside a wooden horse with only very little to eat and even less to drink and no internets at all! So they killed a brazillion Trojans and then they had pancakes to celebrate and was all like *om-nom-nom-nom-nom*. And they never told anyone — ever! — how they’d passed time waiting for 2 years inside a huge-ass wooden horse.

Now, in this version I would say that the whole Trojan Horse ploy worked, not because of Greek ingenuity and cunning, but because of incredible retardedness on the part of the Trojans. And it does make the Trojan Horse seem like way less of a trojan, doesn’t it? Same thing goes for this “First Android Trojan” — not so sneaky after all, when you have to actually give it permissions to perform it’s trojan-y goodness.

There’s an angle on this story that’s really interesting, because Kaspersky Lab not only announced that they’d found this alleged trojan, they also announced that they’ll be rolling out some security software for the Android platform in early 2011, and what better way to spark interest than to find some obscure proof-of-concept trojan that’s not even active in the wild and hype it as if it’s actually a real threat?

I really, REALLY wish that news agencies and newspapers would do just a little research before posting such sensational stuff, because we’re definitely not going to see a follow-up that clarifies the matter.

About Anders K. Madsen

Creator and administrator of Lillesvin Networks. Bachelor of Linguistics and Cognitive Semiotics at the University of Aarhus, web developer, Ruby programmer, author of phpCF and amateur musician. Catch me on mail: madsen@lillesvin.net, Twitter: @lillesvin, or Google Talk: lillesvin@gmail.com, if you want to get in touch.
This entry was posted in Android, In the news, Rant. Bookmark the permalink.

10 Responses to The First Android Trojan … -ish

  1. Steffen says:
    August 12, 2010 at 9:10 pm

    Hah! Thanks for answering question i had earlier today. I don’t have an android device so i didn’t read it too close, but was browsing the Politiken article, like 1.5sec, for the name of the name of the app. Kaspersky sounds like a russian mafioso dude anyways…

    Luv

    Reply
  2. Bjarke Sørensen says:
    September 6, 2010 at 9:15 am

    Pretty shady stuff from Kaspersky – as for doing research – that died along with people’s attention span.
    Research is moot, for in a second or two there is video of a dog scratching it’s back [1].

    [1] http://www.youtube.com/watch?v=9zMSqhvFHkE
    (see what I did there?)

    Off Topic:
    I’ve never heard “GL HF” outside of StarCraft – man, you are submerged :-)
    Then again – I never even played anything on Batte.Net, so what does that say about me? :-)

    Reply
  3. Anders K. Madsen says:
    September 6, 2010 at 12:18 pm

    @Bjarke I’ve seen ‘GL HF’ in other online games as well — e.g. Urban Terror. I actually don’t play StarCraft that much, and hardly ever on b.net. But I guess I do get influenced by the ton of SC2 matches I watch onli—HEY LOOK, A BIRD!

    Reply
  4. Bjarke Sørensen says:
    September 7, 2010 at 6:39 pm

    UT.. hmm.. Google it. Looks like quake-engine. Sorry, id Tech.
    If it is the “UT” abbrev. is quite ironic :-)

    I only listen to podcasts about StarCraft, so I guess I’m tier 3 follower.. Quite the game.

    Btw. Coolest reply to GLHF: “Shut up. I’m trying to concentrate.” :-)

    Reply
  5. Anders K. Madsen says:
    September 7, 2010 at 6:49 pm

    Actually, they use ‘UrT’ because of exactly that. Also, id Tech has no involvement in it appart from open sourcing the engine.

    Also, pretty BM reply to ‘glhf’. LOL!

    Reply
  6. Steffen says:
    September 7, 2010 at 8:00 pm

    so it’s not “good luck have fun”?

    Reply
  7. Bjarke Sørensen says:
    September 7, 2010 at 8:05 pm

    So it’s Quake3-engine?

    Yeah. He’s not there to make friends :-)

    Reply
  8. Anders K. Madsen says:
    September 8, 2010 at 12:38 am

    @Steffen Yes, it’s ‘good luck, have fun’. :)

    @Bjarke Yup, Quake3 engine. (More here: http://www.urbanterror.info/docs/texts/105/ )

    Reply
  9. Steffen says:
    September 23, 2010 at 11:30 am

    not a troyan horse but a android app that i thought you might like, see:
    http://tinkerlog.com/2010/03/20/pong-time/

    Reply
  10. Anders K. Madsen says:
    September 23, 2010 at 12:45 pm

    Haha! Awesome! Unfortunately it doesn’t run on my phone (Tattoo running 1.6). :(

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>