Research

FakePlayer: take 3

We have just detected a third FakePlayer SMS Trojan for Android phones – it’s been a month since we saw the second one. What’s new in this one?

First of all, the ‘porno player’ icon from the first variant has returned.

In the second place, this variant sends for-fee SMS/text messages to two short numbers now – 7132 as in the previous version and also 4161 – new for this version.

The cost for every SMS/text message remains 6 USD (about 170 Russian rubles).

There are no other changes. The same archive – pornplayer.apk, the same infection vector – via the Internet using SEO tricks and the same queries upon installation:

So no real changes – just a new variant to earn additional money… But the trend for regular updates is a concern.

PS Everyone with a phone which supports J2ME should also beware: if you go to a website which is spreading Trojan-SMS.AndroidOS.FakePlayer.c using a mobile web browser, such as Opera Mini for instance, you will be offered a link to download a J2ME application – which happens to be a Trojan we detect as Trojan.SMS.J2ME.Small.r.

FakePlayer: take 3

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

Subscribe to our weekly e-mails

The hottest research right in your inbox