Fake Instagram App Laced with Malware Appears on Android

Sophos reports that cybercrooks are taking advantage of Instagram's launch on Android -- and its recent purchase by Facebook -- by releasing fake Instagram apps packed with malware.

Are we surprised? Of course not. Hackers tend to gravitate to popular subjects like the death of a movie star or the release of a popular game. In this instance, they've created a fake Instagram app for Android packed full of malicious goodness because it's an extremely hot topic, and likely to generate some cash from untrained consumers looking to get in on the action.

According to the security firm, the fake app is loaded with Andr/Boxer-F. "In our tests, the app didn't do a very good job of emulating the genuine Instagram app, but that may be because it failed to find the correct network operator," Sophos reports. "[That's] because this is a malicious app that seems to be relying in the sending of background SMS messages to earn its creators revenue."

In addition to the payload, the company also discovered something else that was a little peculiar. "Curiously, contained inside the .APK file is a random number of identical photos of a man," the company says. "Maybe the reason why his picture is included multiple times is to change the fingerprint of the .APK in the hope that rudimentary anti-virus scanners might be fooled into not recognizing the malicious package."

Eventually a Sophos reader discovered the unnamed man standing in a Moscow wedding picture although the version in the app shows just the unnamed man cropped out and the background erased. "It seems the man pictured has become something of an internet phenomenon after his photo was shared widely on Russian internet forums," Sophos adds. "But the reality is that it's just a snapshot at a Moscow wedding."

Unfortunately, Sophos didn't really explain what the fake Instagram app actually does in regards to making money from consumers. However this particular piece of malware works by sending out SMS messages to a premium number, thus the end user is charged a huge sum of money which hackers ultimately pocket.

Just last week security firms discovered a fake version of Angry Birds Space floating around in alternative Android markets. This one carried its payload, Andr/KongFu-L, at the tail end of a JPEG image file. Once activated, it opened the door for additional malware to be downloaded to the local device, making it part of an Android botnet and thus under the control of malicious hackers.

"Android malware is becoming a bigger and bigger problem, of course," Sophos reports. "It's quite likely that whoever is behind this latest malware campaign is also using the names and images of other popular smartphone apps as bait."

Naturally the best way to avoid this kind of malware is to download apps from Google Play, Amazon's Appstore and perhaps even GetJar. Grabbing apps from other sources is somewhat risky business, especially if you see more than one copy listed together.

This thread is closed for comments
    Your comment
  • The pop up with a list of permissions prior to installing the apps is there for a reason. Can't really blame anybody else but those who don't take the time to read or understand them.
  • If you don't install a program because it needs complete access to your phone, then you might as well avoid 95% of all Androd apps or games. (And I do for that reason by the way). I find it absolutely amazing all the permissions Android programs require. I bought my Android phone base on all the great things people were saying about Android vs IOS. I can't use hardly anything in the Android Market other than music or books because of all the permissions.
  • Google better fix the issues with the Play Store. Every time I update my apps, at least one of them starts spamming my notification bar. Then I have to use AirPush to find it and then remove the app. It's getting real aggravating. There going to have to start doing some sort of QC before apps are launched.