As disclosed in newsgroup, there are several sites masquerades as Android Market which put some popular Apps to lure users to install those malicious Apps. As the following screenshot shows two examples.

    All download malwares are packaged with the same classs.dex with different resource files, with the same behavior: send Premium rate SMS without user awareness. Now they were classsifed as Opfake or Fakeinst.

    Now the same group of fake Android Markets point to the same IP address: 178.63.41.159, with around 20 domain names registered. Some of the domains also serve a malicious JAR file called "browser_update.JAR" which was identified as Java-SMSSend trojan.

    Be aware to such fake sites, and don't download APP from untrusted sources. 

By AegisLab