updated 11:45 am EDT, Thu April 19, 2012
Instagram on Android marred by clone apps
Android's app climate had some of its problems exemplified late Wednesday after Sophos discovered a fake version of Instagram for Android. At least one scam site has claimed to offer the app and copied much of the marketing into Russian. Isntead of downloading the real app, it loads a superficial, broken app that secretly loads the Boxer-F trojan, which sends secret paid SMS messages to make money for the creator.
The app gives away its malicious intentions during the install process, when it asks for pay and SMS app privileges that are both out of character for Instagram and would be unusual regardless. However, a borrowed image inserted repeatedly into the app appears intended to throw off antivirus apps that already know to look for a Boxer-F signature.
It may be connected to a related fake version of Angry Birds Space.
As the rogue app is only available outside of Google Play, the spread and damage will be relatively limited. However, it underscores the lack of safeguards outside of an official app store and one of the reasons why Apple has so far gone without an option to download iOS apps beyond the App Store, as gains in flexibility are offset by an increased likelihood of hostile code.