Apparently the fragmentation of the Android operating system has enabled a window of opportunity for people who wish Phish mobile users. As the Symantec blog explains:
The official app, which was initially released in the early part of the year, was only recently published to the Android Market with support for multiple devices. A gap in availability, combined with the large interest of users attempting to get the popular service running on their Android device, created the perfect cover for Android.Fakeneflic to exploit.
In the images below you can see the subtle differences between the real and fake versions.
Once a user has clicked on the “Sign in” button, they are presented with a screen indicating incompatibility with the current hardware and a recommendation to install another version of the app in order to resolve the issue. There is no attempt to automatically download the recommended solution. Upon hitting the “Cancel” button, the app attempts to uninstall itself. Any attempt to prevent the uninstall process results in the user being returned to the previous screen with the incompatibility message.In spite of the list of permissions that is requested, it is unclear what Android.Fakeneflic will collect from your phone or what it can do. But if past experience with PC based malware is any indication then it could be used to capture your passwords or credit card information, and could even be used to hijack your voice or data connection to enable them to use them for fraudulent calls from your phone. Calls for which you would be required to pay.
To protect yourself make sure you have a proper mobile security management product installed. There are several out there: Symantec, Mcafee, Lookout , and Webroot all offer good products. In fact PC Magazine recently named Webroot Editor's Choice.
Do your research and protect yourself::
- AV-Comparatives weblog Mobile Security Review 2011
- Top Ten Reviews Mobile Security Software Review (nice comparison table and ranking)