First of all, it starts with a WhatsApp-themed spam:
From: WhatsApp Messaging Service
Date: 20 September 2013 19:36
Subject: 3 New Voicemail(s)
You have a new voicemail!
Time of Call: Sep-17 2013 04:05:07
Lenth of Call: 04 seconds
*If you cannot play, move message to the "Inbox" folder.
2013 WhatsApp Inc
I'm sort-of-vaguely aware of the existence of WhatsApp in the same way that I am vaguely aware of my wife's birthday. Here's the thing though.. click on the link on the PC and you get a fake Plesk 404 page (see this report). But click on it using an Android device and you get something very different.
So, armed with a random Android user agent string and WGET, I accessed the link (in this case [donotclick]www.organocontinuo.com/app.php?message=hADXwckiPdaYKjapSiWJyMR/guGMDz4l8/PCDGmSemg=) and ended up with a 2,735,848 byte file called WhatsApp.apk instead.
I didn't test this on an Android device or the ADK, but apparently it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48, but who runs anti-virus software on their Android? (If you aren't running AV, then try this).
So what does it do? Well, I've been using the Anubis sandbox to analyse Windows binaries for a while, but it can analyse the results of Android .apk files too, which is pretty darned cool. And this is what Anubis sees the malicious Android app doing.
Now, if you've read Gary's blog then you will know that this is an Android-based fake anti-virus application. Anubis says that the application's reported URL is defenderandroid.org but I am not sure if this is fake. However, the application certainly seems to send traffic to 126.96.36.199 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before   .
Up until April, the IP 188.8.131.52 hosted the domains w0580.com and juyuanfang.com, both registered to the same person using the email address email@example.com. I do not know if they are connected with the fake AV in any way.
Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe.