The Opfake gang has been targeting Android mobile devices, as well as Symbian, but that does not mean they are limiting their targets to these platforms. Where there is money to be made, they are willing to invest time and resources. This includes scams designed for iPhone users. We have come across a couple of Opfake websites that, while hosting malicious apps that Symantec detects as Android.Opfake, are also designed to perform social engineering attacks on iPhone users.
The iPhone is designed to prevent the installation of applications outside of the Apple App Store. This makes life difficult for bad guys attempting to fool users into installing malicious apps in a similar manner to Android and Symbian devices. To get around this, the Opfake gang have developed a social engineering trick that does not require apps to scam site visitors.
We have seen two different types of websites. The first attempts to trick users into thinking that their browser is out of date and needs to be updated.
When the user clicks on the update button at the bottom of the page, the browser is taken to an installation page showing the progress of the “update”, though in reality there is no updating taking place.
When the “installation” is completed, the user is asked to enter the phone number of their device in order to protect against the unauthorized copying of the application.
If this is done, the user is informed that an SMS message has been sent for confirmation.
We have not been able to confirm this, but given the Opfake gangs predilection for premium rate SMS messages, the message sent to the user most likely leads to premium-rate text fraud.
The second type of website displays a fake Android market, even though the site is viewed using an iPhone. Users are allowed navigate throughout the market and can attempt to download apps as they please. It is a bit peculiar for the user that an Android market can be viewed from an iPhone, but this may be what entices users into attempting to download the apps—some of the apps are not available in the Apple App Store. Non-technical users may not be unaware that Android OS apps do not work on iOS. Like the browser trick mentioned above, the trick works by fooling the user into giving out their phone number after the “installation” of the app.
Although the iPhone has an excellent history of making available safe apps, it cannot protect users from attacks such as the one described here, or from phishing attacks, because they are entirely browser-based. It is important that users are aware of these attacks, and protect themselves accordingly.