Android.GeoFake

Type:

Trojan

Android.GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers. 

Android package file The Trojan may arrive as a package with the following name:

APK: santander.apk
Version: 1.0
Application name: TokenGenerator




Permissions
When the Trojan is installed, it requests permissions to perform the following actions:

• Get information about the currently or recently running tasks
• Open network connections
• Check the phone's current state
• Make the phone vibrate
• Allow access to low-level system logs
• Write to external storage devices
• Access location information, such as Cell-ID or WiFi
• Access location information, such as GPS information
• Access information about networks
• Access information about the WiFi state
• Start once the device has finished booting
• Allows management of the list of accounts in the AccountManager
• Allows requests for authtokens from the AccountManager
• Allows access to list of accounts in the Accounts Service
• Allows packages to be restarted
• Read user's contacts data
• Read SMS messages on the device
• Create new SMS messages
• Use the device's mic to record audio

Installation 
The Trojan generally arrives within a repackaged .apk file from a legitimate application. The package name, publisher, and other details will vary and may be taken directly from the original application.


Functionality
The Trojan sends SMS messages to premium-rate numbers by performing one of the following actions:

• Sends SMS using a predefined list of premium numbers
• Connects to a predefined IP address to download a XML-configured list of premium numbers, then sends SMS 

The Trojan will attempt to use the GoogleMaps API to determine region-appropriate premium services based on the compromised device's geolocation.

The Trojan also filters any SMS replies using predefined lists to hide premium service or network operator notifications.