Delving into Andoid.Opfake
Pre-dating many of the mobile platforms it currently targets and outlasting several of the mobile platforms where it originated from, Android.Opfake has a tendency for survival on the mobile threat landscape not unlike roaches in the aftermath of a nuclear holocaust. Combining business savvy through a strong black market affiliate network and quick reaction time to adapt itself to thwart efforts by security vendors, Opfake has not only managed to stay in business for several years, the Opfake family has come to define the evolution of mobile malware.
Like many traditional Trojan horses, on the surface Android.Opfake purports to be a legitimate application. In fact, we have observed several variants of the Trojan masquerading as various apps and content, including an installer for the Opera Web browser and a pornographic movie. Analysis of the code behind the malicious program, as ever, reveals a truer sense of its nature. Numerous suspicious functions exist in its functionality that would have no reasonable place in any legitimate application. For example, encryption of its own configuration files—doubtless an attempt to prevent its behavior from becoming too obvious. It also contains functionality to collect contact details from the device—behavior that immediately raises concerns about information-stealing.
These suspicious activities and more are discussed in greater detail in a recent white paper, entitled Android.Opfake In-Depth.