Security vendor GFI Labs said the latest version of the Trojan OpFake —which sends SMS messages to premium numbers— now bundles Opera Mini within itself.
"(There is) a fake Opera Mini support website where users can download a package named 'com.surprise.me' (file name: 'opera_mini_65.apk'), this new Opfake variant, which GFI VIPRE MobileSecurity detects as Trojan.AndroidOS.Generic.A. Do keep in mind that the package and/or file names may change over time," it said in a blog post.
When the app is installed, there will be two sets of “Permission to Install” pages shown to the smartphone users.
The first set comes from the malware itself, asking for rights to read and modify SMS and MMS messages; read rights to all contacts stored on the smartphone; and modify or delete rights to the SD card.
After users agree to install, the malware then redirects them to the second set, a legitimate Opera Mini page.
"More than likely, users will not be aware that something might have infiltrated their phones until the bill arrives," GFI said.
Once installed, the malware sends one SMS message to a premium-rate number before it installs the legitimate Opera Mini.
A command and control (C&C) server controls the message sent and the number where it is sent. The malware then connects to the C&C server to retrieve data.
