Trojan:AndroidOS/SMSFakeSky.A is is a trojan that affects mobile devices running an Android operating system. It poses as a legitimate application, but instead sends multiple premium SMS messages to certain numbers, which incurs significant costs. Some examples of applications we have observed this trojan posing as are:
Adobe Flash Player
Angry Birds Rio
Browser Mini 6.5
Opera Mini 6.5
The trojan targets Russian speaking users. It poses as a legitimate application, so when you try to install the trojan, it may ask you for permissions to run; for example, it may ask you for access to SMS or MMS for reading, sending and receiving them.
Once installed, it displays the following text:
"Установка. Вы согласны с условиями загрузки Adobe/Skype. Для продолжения загрузки нажмите кнопку Далее"
which translates to:
You agree to the conditions for downloading Adobe Flash Player/Skype.
To proceed with download click Next button."
The trojan will then display a notification which urges you to update the mobile device or other applications, when in fact it installs another version of itself:
"Срочное обновление Android (Flash...)"
which translates to:
"Critical update for Android (Flash ...)"
The trojan creates two shortcuts on the home screen:
- "Поиск" (translates to "Search") - this links to another version of the trojan
- "Hello6" - this links to a search engine
Sends messages to premium numbers
When it runs, the trojan displays a fake progress bar, so as to appear as though it is downloading an app to your mobile device. It then displays a URL to a supposed statement of agreement, but you cannot access this link.
When you click the "Agree" button, the trojan will send multiple SMS messages to premium numbers at your expense. A download link will be generated on one of the following domains:
This download link may link to the legitimate application that the trojan is posing as.
Below are some examples of the premium numbers it sends messages to, and the message it sends:
6666, with the text: 684882541888619512
7151, with the text:70123360151921672152
7375, with the text: 68295520211518460942
7375, with the text: 68139520211518452612
9999, with the text: 68488520221518419912
Downloads new versions of itself
The trojan creates means to update itself by adding a notification in the System Notification bar and shortcuts on the home screen. These require you to take action for re-infection to be successful; if you click on the notification or the shortcut, a new version of the trojan with the same payload will be installed, replacing the old version.