back to article Fake Instagram app slings SMS Trojan onto Android gear

Virus lynchpins are distributing an Android Trojan under the guise of popular photo-sharing app Instagram. The fake version of the Instagram Android app is being distributed via unapproved sources, rather than official sites such as the Google Play Android marketplace. The rogue app has been published on a Russian website …


This topic is closed for new posts.
  1. MrWibble

    Android malware is becoming a bigger and bigger problem," said Graham Cluley, senior technology consultant at Sophos.

    Only to idiots who download apps from random websites, rather than the easier route of one of the app markets available (Google, Amazon, getjar, etc).If Instagram wasn't free, then I could understand why some would want to download from a dodgy source, but a free app?

    1. Anonymous Coward
      Anonymous Coward

      Lots of idiots

      @MrWibble: "Only to idiots who download apps from random websites"

      Which - unfortunately - is an apt description of the technical competence of a significant proportion of phone users. And hence it isn't a problem that can be ignored.

      1. Argh

        Re: Lots of idiots

        They've got to be technically competent enough to allow installation of applications from outside the Play market (Android disables this by default, but it can be changed in the settings after agreeing to a popup that notifies you of the dangers associated with changing it).

        Obviously if there's another way to install applications that works around this safety precaution, it's an Android issue that needs fixing.

        1. Wize

          Re: Lots of idiots

          "They've got to be technically competent enough to allow installation of applications from outside the Play market "

          Its even harder to do on an iPhone and I know of a few knuckle draggers who have managed it so they can install hacked versions of apps.

          The more popular a platform, the more likely it is to filled with nutters who will install anything on it.

  2. Marty


    If your not clued up enough to spot a fake app then you have no business installing apps from anywhere but authorised outlets, IE google play.

    the other group of people that are gong to get stung are the freetards who have downloaded a pack of "full version" apps from demonoid or TPB listed torrents.

    in fact the people that are likely to be caught out by stuff like this should in all honesty and I really am not trying to be facetious, they should be playing in apples walled garden on an iphone.

    school teacher, because this sort of thing is a life lesson....

    1. Anonymous Coward
      Anonymous Coward

      Re: foolish

      The only problem is that most people aren't as 'tech savvy' as El Regs wonderful readers are.

      Joe public really aren't that informed. May be the 'walled garden' would be a better place for them and I think that's really what Google should do with an option somewhere in Android to turn on 'Advanced features' for the more technically minded users.

      That wouldn't totally cure the problem, but would go a long way towards mitigating it. As would timely software updates that are basically a clean install of the OS.

      Google doesn't appear to be that bothered though,. Despite their 'Bouncer' malware has crept into Google play as well.

      The only other option would be an intelligence test when people go to buy a phone.

      "Sorry kid - you're too thick, go use a phone box". I don't imagine that would be a popular move though!

      1. Anonymous Coward
        Thumb Down

        Re: foolish

        Errm they do..

        You can't get this malware, without first finding it, then downloading it, then getting this warning and accepting it...

        If that's not security, I don't know what is.

        What's NOT on, is how the media are portraying this, and how Sophos are destroying their credibility in the process.

        FUD at it's most extreme is perhaps the only way to describe this.

  3. liquidphantom

    why would someone get the app from an unofficial source when it is free? Some people deserve the bad things that happen to them due to their own stupidity.

  4. Silverburn

    Maybe Google should just completely prevent stupid users from downloading apps from unknown sources or from webpages, and perhaps put some sort of vetting process in place for applications before users can install them.

    Some sort of "Walled Garden" should do it. Oh wait...

    1. Anonymous Coward
      Anonymous Coward

      You mean like a setting option you have to select to install apps from places other than the Google market followed by a pop-up dialog where you are warned that doing this may make you phone more vulnerable to attack and that you agree that you are solely responsible for the consequences?

      1. This post has been deleted by its author

      2. Silverburn

        This is sort of my point. How much do they need to do to protect users from themselves? As the general (non-techie, non-T&C reading, click-anything) public start to use Android more and more, more of this stuff will appear, and the blame will be place at the ecosystem, because - god forbid - it's the users fault.

        And it's only a short step from there to a walled garden, where the users absolutely cannot do anything because it's hard-wired in, and the freedom Android users once had will be gone.

        Pah humbug!

  5. Anonymous Coward

    The people falling for this kind of deserve it, but...

    1. I don't think even google play is immune from this. Unless things changed recently they don't review apps, they remove them once people alert them to an issue. In the meantime you can still get something nasty.

    2. Lots of android devices don't support google play. Especially the cheap devices. People buying those devices start looking around for alternative places to get apps, and if they're not too clued up (which they usually aren't if they're buying crap like this) they might well end up on the wrong site.

    1. Anonymous Coward
      Anonymous Coward

      Re: The people falling for this kind of deserve it, but...

      They do review, it's called Bouncer, but El-Reg were too busy reporting tripe like this, than mention something positive...

  6. Andy

    suddenly apples way of doing things looks more attractive..

    1. Anonymous Coward


      Because if you really try hard enough on Android you can get a virus...

      YOu can't simply "get" this, you have to REALLY go out your way.. It's a shame this article is so biased that it fails to mention that rather important fact.

  7. Dr. Vesselin Bontchev

    Typical incompetent crap

    This article contains the typical incompetent crap you can expect from an ElReg article. The only surprising thing is that the blame does not lay only on the stupid journo who has written it (as is usually the case) but also on the AV companies from whose blogs he has taken the info.

    You see, folks, there ain't no such thing as "Android Instagram SMS Trojan". This thing is not specific to the Instagram app in any way. You see, the scam works like this.

    There is a site (a whole network of sites, actually), which claims to be a repository of Android apps - mostly free ones. It's not a market, technically - it's just a site from where you can download app. The site is Russian. Why would anyone want to use a dodgy site instead of the Google Market/Play or whatever it is called this Thursday? Beats me. We're talking Russia, remember? Maybe they don't have an easy enough access to all these apps - remember, Google restricts them by country. Maybe it's too slow or expensive to connect to the genuine market. Maybe they just don't know better. Whatever.

    Any time the (l)user tries to download an app from these Russian sites, no matter which app s/he has specified, s/he gets something completely different. It is actually a "download app". This app sends 3 SMS messages to premium numbers (some variants even say that they would do so, although they don't specify clearly the numbers and the costs) and then download the real app that the user has ordered. Which app it is is written in a data file inside the APK file (APK files are ZIP archives) of the "downloader app" - but the code of the "downloader app" is one and the same, no matter which particular (genuine) app the user has ordered.

    In addition, random data files are added automatically to the APK file of the downloader, in to fool AV programs that depend on whole-file checksums. This is done automatically before every download of the "downloader app".

    But that's not all. In addition, very often (almost every workday) the code of the "downloader app" is edited manually, some trivial changes are made in it (e.g., the classes are renamed, some lines are switched around, variables are defined, etc.) and the "downloader app" is recompiled. This is done in order to fool AV programs that checksum the file inside the APK archive that contains the actual code (classes.dex).

    So, basically, the thing uses server-side polymorphism. It's a downloader and it is stupid to name it after one particular app that the original researcher has initially downloaded without thinking or analyzing the thing.

    It's not really new, either. It's called FakeSMSInstaller and has been around for several months already. But since a new variant appears almost every day, some poor excuse for an AV researcher has decided that they have found something genuinely new. Not so, grasshopper!

  8. paul 97

    Depends what version of android you run

    MIUI version of android - every app that wants to do anything with SMS has an extra prompt with allow / deny.

  9. Jeebus

    Good. Your photos are terrible anyway.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022