Yesterday marked the 3rd month in a row that the Russian SMS trojan, FakePlayer, received an update to the Android application that has served as a bit of a “black swan” event. In August, the Global Threat Center began reporting on the existence of the first trojan horse application that affects Android devices.

FlakePlayer, as it was dubbed, appears to be a very rudimentary application that attempts to send SMS messages to premium rate numbers. Because of the nature of short code numbers and SMS, this trojan was thought to only work in Russian networks.

Nearly a month later, in September, we reported on a new variant to the original FakePlayer trojan that incorporated a few changes to what the user would see, the propagation method, and how it operates in the background. We also mentioned that that the new variant was being referred to as PornoPlayer.

The 2nd version of the SMS trojan used SEO techniques to achieve prominent placement in search results for Russian websites. One of the most visible changes to the 2nd version was that the application icon, that is visible to the user, showed an adult image. Secondly, the premium rate numbers that the SMS messages were sent to in the background were changed, causing the cost for every SMS message sent to be about $6 (about 170 Russian rubles). The version new for the month of September also changed the archive name from RU.apk to pornoplayer.apk.

Now, nearly a month later from the 2nd version update, we’re seeing a 3rd version of the Russian SMS trojan FakePlayer. This version continues to use the same SEO techniques for propagation and the archive name, pornoplayer.apk, stayed the same. So what has changed in the 3rd version?

If infected, the user will once again see the original application icon that resembles the Windows icon for Microsoft’s Media Player, but the application name remains PornoPlayer.

FakePlayer’s new version now sends SMS messages to two premium rate numbers to charge the victim. Just as in the 2nd version of FakePlayer, the 3rd version sends SMS messages to 7132, but it has added a second number of 4161 to the background process that will charge the user $6, or 170 rubles.

As far as we can tell, there are no other changes to this version of the Android SMS trojan application. The Global Threat Center continues to believe that this application will still only work within Russian provider networks. However, it remains important for users to remain vigilant of their phone bill and look for any unauthorized charges. As is normal for all Android applications, the FakePlayer SMS trojan must present the user with the permissions that it needs access to before it can be installed.

In the case of all three of these versions of FakePlayer, the application plainly requests permission to access “Services that cost you money”. It remains incumbent upon the Android user to ensure that they are installing applications that request permissions that make sense for what the application is supposed to do. In this case, a media player application should not be requesting permission to access “Services that cost you money”. Users must simply stay alert when they’re installing Android applications, both from the Android Market or from 3rd party sources…wherever they may be.