Malicious Android apps posing as the mobile Opera Mini browser or an update for it are nothing new, and they are usually malware that sends text messages to premium-rate numbers without the device owner’s knowledge.
Until now, the apps in question merely appeared to be Opera Mini – once installed, there would be no trace of the popular browser, and this would alert some users to the likelihood that their devices have been compromised.
But GFI researchers have recently spotted a new version of the malware, and this time it is no longer just mimicking Opera Mini, but has has been bundled with it.
The malicious app can be picked up on a fake Opera Mini support website and, during installation, it present to the user two sets of permissions: one belonging to the malware and the other to the legitimate Opera Mini app:
Once the permissions are given, both apps are installed and the user can use Opera Mini without problems.
“More than likely, users will not be aware that something might have infiltrated their phones until the bill arrives,” the researchers commented.
In the meantime, the malware works quietly in the background, sending a premium-rate SMS, retrieving data from a C&C server, and exfiltrating information such as country location, operator name, OS version, phone type and device ID (IMEI) to it.
Users are advised always to download apps from legitimate and well-reputed online stores in order to minimize the possibility of downloading malware instead.