Security Researchers at GFI Lab ,spotted an Android application posing as the popular Web browser Firefox and is hosted on several Russian websites. The Android application files (.APK) users can download from them not only vary in file names but also in file sizes.
GFI VIPRE Mobile Security detects the malicious apps as Trojan.AndroidOS.Boxer.d.
The typical Boxer malware appears to be a legitimate app that users can download. Once installed, it loads a Rules page on the phone and asks users to accept it. The app then sends a premium SMS message to any of these numbers: 2855, 3855, 7151, or 8151. The Rules page discloses (in small text) that users will be billed for sending a premium SMS message. Boxer then directs users to the actual website where the legitimate app can be downloaded after claiming that it has successfully activated.
However, this particular variant doesn’t give any details regarding its true purpose. This variant sends the premium SMS message, “5975+3480758+x+a”, to the aforementioned numbers. Lastly, it loads google.com instead of directing users to the actual download site.
Researchers believe that this may be a tactic to make users think that the application is defective. They might download and install the fake software again, allowing Boxer to perform its malicious tasks more than once.
