Updated: 2012-May-15, we found another download site that uses another domain name but points to the same IP as mentioned in GFI's blog. Several alternative markets use these download site to serve the malware. The IP is 91.223.77.204, located in Ukraine.

 

    According to GFI Lab's blog titled "New Twitter Spam Run Leads to Android Rogue AV", the download site serves a Jar file or an APK file depends on user agent. Further analysis discovered, the download site also trys to serve the same APK with different file hash value each time. Remember yesterday's blog, we discovered the APK malwares in RU domain also achieve this by inserting junk files into APK. While in this case, the download site uses another way: by changing the order of useless file inside the APK, which can also lead to different file hash values.

   As the Android malware also involving to being polymorphic, the one of true challenge for Android antimalware players just begins.

By

AegisLab