In October 2010 the discovery of Android.Trojan.FakePlayer.A, the first known malware for the Android operating system, struck us at G DATA SecurityLabs like a bombshell. Once the initial commotion had died down, a number of questions arose
The malware seemed to have been around since 05 August 2010 - how many individuals were already affected? What evil tricks had the malware authors dreamt up to make life difficult for us analysts? And, indeed, what sort of behaviour would FakePlayer display? In any case, our initial speculations were more than wild.
But although the reality back then was very sobering, it was - at least in some aspects - something to smile at. The program code was simplistic and full of errors. It looked like the developers had taken a look at Android for the first time during one long evening and cobbled together a few snippets of code from here and there. The authors of the malware were even too lazy to change the (then) standard class names for a new Android project in the Eclipse programming environment provided at the time by Google: "org.me.androidapplication1". There was also a "HelloWorld" class. This is the first exercise for most developers when they want to learn a new programming language.
The malware itself was actually quite quick to elucidate: the app used a stolen icon from Windows Media Player to pretend to be a media player. But when the app was launched, it simply displayed a message saying "Loading" in Russian, and a non-recurrent stream of premium SMS with a total value of almost USD 10 was distributed.
Over the following months, new variants of the malware appeared at regular intervals. Overall we counted 8 different ones where, in each case, the app icon, app name or premium SMS numbers used changed.