In few days ago, Google released "Android Market Security Tool" that intented to recovery devices from the modification made by "DroidDream" trojans. This tool was automatically deliver to devices of users who had downloaded and installed infected applications.
But according to the report in mobile.malware discussion group, a repackaged version was distributed in China local forum. Thanks for Justin Case offering the sample, and we identify it was the same as the "Fake10086" we discovered in one week before. Both of them utilize a Google Code project http://code.google.com/p/mmsbg/. Also thanks for Tim Wyatt from Lookout who send us private mail dated in March 05 to disclose this information.
Related analysis can be found at:
- PSA: Infected "Android Market Security Tool March 2011" App Floating Around - by AndroidPolice: http://www.androidpolice.com/2011/03/09/psa-infected-android-market-security-tool-march-2011-apk-floating-around/
- Android.Bgserv Found on Fake Google Security Patch - by Symantec http://www.symantec.com/connect/blogs/androidbgserv-found-fake-google-security-patch
- Security Alert 2011-03-04: Yet Another Repackaged Trojan "Fake10086" Leaks User Privacy - by AegisLab http://blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1