A chink in Android Armour
Apart from the increasing number of truly malicious Android samples we have to process every day in SophosLabs (around one thousand) we also have to process applications that approach and often cross the fine line between the completely legitimate and potentially unwanted applications (PUAs).
A high number of these borderline samples indicates the degree to which developers view the Android ecosystem as a bit of a gold rush.
Android Armour claims to be a security app for Android and although it is not hosted on Google Play (first suspicious clue) it is hosted on Amazon's Android store (first non-suspicious clue). The application home page states:
HackerTrapp is the most comprehensive online virus/malware/adware definition database available! In addition to 20 major virus databases
However, the screen used for collecting credit card information in Android Armour closely resembles a Google Play page (very suspicious clue since the app is not hosted on Google Play).
Since seeing the Google-like credit card form I was not surprised to find out that Android Armour detected a non-existent threat in one of the applications (another suspicious clue).
After few attempts to find more details about which application was being detected as malicious, I managed to find it.
It was Dropbox.
Android Armour terms and conditions state:
Android Armour Advanced Version is a weekly subscription. You authorize us to charge you the subscription cost ($0.99) for the first week now, and subsequent weeks will be billed at 0.99$ either weekly or grouped together every four weeks as a single charge of 3.96$. This will be charged automatically, charged to the payment method provided.
http://nakedsecurity.sophos.com/2013/01/10/a-chink-in-android-armour/
