GFI said:Adobe marked August 15, 2012—exactly a week ago—as the last day when users could download and install Flash Player on their Android devices if they didn’t have it yet. The company made this announcement so they can focus on Flash on the PC browser and mobile apps bundled with Adobe AIR. This change in focus also meant that Adobe will no longer develop and support Flash on mobile browsers.
Of course, it’s possible that some Android users have missed that deadline, so they venture on to other parts of the Internet in search of alternative download sites.
It’s no surprise to see that Russian scammers have, indeed, set up websites to lure users into downloading a fake Flash Player onto their Android devices. The Labs has been documenting such behavior from SMS scammers for quite some time now.
As of this writing, we’ve seen eight sites using Adobe’s logos and icons—all are linking to the same variant of OpFake Trojan disguised as the legit Flash Player for Android. All the Russian sites used different file names for their .APK files but they’re the same malicious variant. Below are just some of the file names that are used:
flash_player_android_v.11_installer.apk
adobeflashplayer_11_153_installer.apk
flash_player_installer.apk
flash_player_11_installer.apk
flash_player_android_installer.apk
flash_player_dlya_android_installer.apk
Adobe_Flashplayer_apk_install.apk
com_adobe_flashplayer_111111005__installer.apk
GFI VIPRE Mobile Security detects this OpFake variant as Trojan.AndroidOS.Generic.A.
Note that this particular variant is currently touted by many fake Russian app websites as other applications, which they regularly repackage and distribute to new download servers every two to three days.
GFI Labs also found an English website that also hosts a fake Flash Player file named adobeflashinstaller.apk, which is bundled with adware from a company called AirPush.
[attachment=2292]
This adware is activated upon installation of the app. It loads a screen where users can download more apps bundled with this adware. The app then loads a Home page containing instructions on how to get the fake Flash Player. Inexperienced smartphone owners would happily follow the step-by-step guide, not knowing that they’re actually rooting their smartphone devices.
Pro tip: A legitimate copy of Flash Player does not require a rooted device for it to work.
The app then connects to a forum post on XDA-Developers, a popular development community for smarphones and tablets, to download another .APK file, which is a hacked version of the actual Flash Player app. While it is not malicious in itself, Adobe does not support it—worse, it could cause some problems to the device. With a rooted device, future updates of this hacked app may grant or install new permissions users are not aware of.
Below are other noteworthy capabilities of this adware:
Drops shortcut files, which leads to advertisements, onto the affected device. If users delete these shortcut files, the adware adds more of them.
Changes the user’s Home page
Sends pop-up ads to the phone’s notification bar every 15 minutes on the average.
Start automatically in the background once the device is turned on or restarted. The only way to terminate it from running in the background is by manually doing a Force Stop from the Settings panel.
Reads the user’s contact data and sends all phonebook contacts to advertisers
We detect this adware as Adware.AndroidOS.AirPush.A.
You may come across other websites claiming to host the latest version of Flash Player. In that case, better to steer clear from them and download only from Google Play.
Jovi Umawing (Thanks to Randall for finding this)
*The Flash icon is attributed to its creator, Mazenl77
More info: http://www.gfi.com/blog/fake-flash-player-app-is-an-sms-trojan-and-adware/
Sample here: http://malwaretips.com/Thread-Trojan-Horse-Flash-Player-Installer-1-0
