Beware of Android Defender mobile scareware

Scareware aimed at mobile users is not nearly as ubiquitous as that directed at those who use Windows-run PCs. Nevertheless, there is some out there.

Sophos’ Paul Ducklin has analyzed a sample that, naturally, masquerades as a mobile AV solution.

Dubbed Android Defender, the app simulates finding a host of malware on the victims’ Android device, then urges them to “Buy and eliminate threats”.

Most of the malware names used are actually those of existing threats, so they will definitely sound familiar and they add to the illusion.

“But it’s all smoke and mirrors. You don’t have to be a Java coder, or even a programmer at all, to spot in the source code below that the app is using the Math.random() function to build up a list of virus names to report later,” says Ducklin. “The malware names are field-updatable, stored in Russian and in English in an XML data file that is part of the malware’s APK file.”

It’s interesting to note that while the app itself is buggy and occasionally crashes or won’t allow victims to buy the full version and activate it, it ultimately does confirm the sale and “shows” that the malware has been removed.

It’s also interesting to see that its authors have thought about making the app pretend to update malware signatures every day, as well as build into it a “half-hearted” privacy manager tool.

Unfortunately, not only do victims lose their money by buying it, but are also lulled into a false sense of security.

Ducklin advises users to download and install a legitimate AV solution and to disallow (Security Settings, uncheck the “Unknown sources” option) the installation of apps from unknown sources to prevent something like this from happening in the first place.