Recently, AegisLab found there are several variants of premium rate SMS trojans called “OpFake(a.k.a FakeNotify)and “RuFraud”. These two kinds of trojans mainly target on users in Russia Federation and European countries. For examples, please see the following premium-rate SMS numbers:

  • Estonia  17013
  • Czech Republic 90901599
  • Ukraine 7540
  • Tajikistan 1171
  • Poland  92525
  • and more ...(see update)

    In order to earn money from the premium-rate SMS, the trojan will fake itself as a famous app, like Angry Birds (see figure 1&2); or downloader/installer of well-known softwares, it looks like 'real thing' (see figure 3&4). Some of these kinds of apps appear on the third-party download sites, and some will repackage itself, post to the official Android Marketplace, and try to lure innocent people to install it.


  Figure 1 and 2: RuFraud asks “send SMS permission” and installing



Figure 3: Fake Android Market



Figure 4: Lure you to download some “real thing” 


    AegisLab has released hundreds of the latest SMS trojan signatures for our Android AegisLab Antivirus Elite and Free users. Some of what we have found as premium-rate SMS trojans is in the following list includes virus name and package name:

OpFake (a.k.a FakeNotify)

  • ad.notify1
  • com.registr.registrator
  • com.pp.Download
  • opera.updater2
  • and more ...



  • com.Angry.Birds
  • com.Talking.Larry.Bird
  • com.Riptide.GP
  • com.Assassins.Creed
  • com.corazon.horoscope
  • com.Twilight.wallpapers
  • and more ...


By AegisLab