Android users targetted with malicious Instagram app
Hoax version of hit application comes with added malware
Rogue Android versions of the Instagram photo app have appeared. According to Graham Cluley of security firm Sophos, the fake app looks like the real thing, but in the background it secretly sends SMS text messages to a premium rate number; something you’ll only discover if you examine your bill.
The Instagram photo effects filter and sharing app has been all over the news since Facebook bought it for a painful sum of money last week. The newly released Android version of Instagram has been downloaded over five million times since it was released on the 3rd of April.
It’s in the nature of malware coders to go after subjects of popular interest so, just as we see malicious spam about natural disasters or celebrity death, the massive draw of this app has proved irresistible to the bad guys of the coding world. The fake version of Instagram is distributed from a Russian website, where you can download it directly.
We’re slightly bemused as to why anyone would do this, given that the real thing is available for free anyway – scams of this sort more often take advantage of people searching for pirated versions of paid-for software.
In a report on Sophos’ Naked Security blog, Cluley wrote that “in our tests, the app didn't do a very good job of emulating the genuine Instagram app, but that may be because it failed to find the correct network operator. Because this is a malicious app that seems to be relying in the sending of background SMS messages to earn its creators revenue. Sophos products detect the malware as Andr/Boxer-F.”
This is only the latest malicious fake Android app to have been found in the wild – Sophos reported a malicious version of Angry Birds Space just last week.
If you’re worried about malicious Android applications, there are a few key tips you should keep in mind.
1. Only download apps from Google Play (formerly known as the Android Market). Google runs basic security screening on all apps and – although there were reports last year of malware sneaking into the market – fakes and malicious programs are soon reported and removed.
2. Don’t allow your phone to run apps from unknown sources. Go to the settings menu on your phone, then to Application settings and make sure that the Unknown Sources box isn’t ticked. This won’t work for everyone, as some people use legitimate applications which are distributed as APK files rather than via the Google Play, but if you’re uncertain about your phone security, this is an important added layer of protection.
3. Carefully check to see what permissions an app is asking for when you install it. There’s no reason for a game to require the ability to make calls or send SMS messages.
4. If you absolutely insist on using third-party marketplaces or downloading software from random websites, consider buying anti-malware software for your Android device. We’ll be taking a look at some of your options for Android security in the near future.