FakePlayer¶
The first known Android malware. Discovered by Kaspersky in August 2010, FakePlayer was a simple SMS trojan disguised as a media player that sent premium-rate SMS messages without user knowledge. It proved Android was a viable target for mobile malware authors who had previously focused on Symbian and Windows Mobile.
Overview¶
| Property | Value |
|---|---|
| First Seen | August 2010 |
| Type | SMS trojan |
| Attribution | Unknown (Russian-language targeting) |
| Aliases | Trojan-SMS.AndroidOS.FakePlayer.a (Kaspersky), Android.SmsSend.1 (Dr.Web), TROJ_DROIDSMS.A (Trend Micro) |
Distribution¶
Distributed as a 13 KB APK file disguised as a media player application via websites targeting Russian-speaking users. Not distributed through the Android Market.
Capabilities¶
| Capability | Implementation |
|---|---|
| Premium SMS | Sent messages to premium-rate numbers 8353 and 3353 |
| Social engineering | Displayed a media player icon to appear legitimate |
FakePlayer had no C2 communication, no data exfiltration, no root exploits. It was functionally a single-purpose SMS fraud tool.
Permissions¶
| Permission | Purpose |
|---|---|
| SEND_SMS | Send premium-rate SMS messages |
Evolution¶
At least three variants were identified (FakePlayer.a, .b, .c). The premium SMS fraud model it pioneered became the dominant Android malware monetization strategy throughout 2010-2012, before overlay attacks shifted the landscape toward credential theft.