Trend Micro experts found a total of 1,351 sites hosted on the server in question, all the websites falling into a certain category. They identified Android Market apps, Opera Mini and Phone Optimizer apps, adult apps, app storage sites, and others.
The ones that host adult content are currently unavailable, probably because they’re still being set up, or they were simply taken down by the cybercriminals.
The Android Market app websites are designed to look very similar to the legitimate one, featuring popular applications such as Facebook, Skype, Google Maps, Gmail and YouTube.
The files downloaded from this category contain a malicious element identified by Trend Micro as ANDROIDOS_FAKENOTIFY.A. The files from the Opera Mini and Phone Optimizer category contain a piece of malware called J2ME_SMSSEND.E, especially designed for devices supporting MIDlets.
Statistically speaking, besides the Others category, most sites offer so-called Opera Mini updates and Photo Optimizer applications, followed by Android Market apps with close to 300 websites.
“This particular cybercriminal operation presents some interesting findings. Here we saw that the attackers are not necessarily targeting only one platform,” Paul Pajaresm, Trend Micro Fraud analyst, said.
“Based on the targeted platform, we also saw that cybercriminals use different social engineering lures. Also, despite the emergence and prevalence of platforms such as Android and iOS, the Symbian platform still seems to be targeted as well.”
Users are advised to be careful which sites they use to download mobile apps. Many malicious pages are set up to almost perfectly replicate the original one, but the name from the browser's address bar can always give away its true purpose and identity.
Even Google’s Android Market sometimes hosts malware embedded in apparently harmless applications, but at least the chances for a user to get infected are slimmer.