Android.Walkinwat is the first mobile phone threat discovered in the wild that attempts to discipline users that download files illegally from unauthorized sites.
Figure 1 – Messages displayed by the Trojan
Presented as a non-existent version (V 1.3.7) of Walk and Text, an application that is available on the Android Market, Android.Walkinwat can be found on several renowned file sharing websites throughout North America and Asia. One could make the case that this app was intentionally spread in these regions by the creators of the threat in order to maximize the download prevalence and convey their message to as large an audience as possible, however one could also make the case the creator of Android.Walkinwat is attempting to undermine the publisher of Walk and Text.
Once running the app, the user is presented with a dialog box that gives the appearance that the app is in the process of being compromised or cracked, when in fact, the app is gathering and attempting to send back sensitive data (name, phone number, IMEI information, etc.) to an external server.
Figure 2 – What happens in the background
Additionally, the app sends out the following SMS messages to all the contacts in the contact list:
Figure 3 – SMS message sent to all contacts in the contact list
Interestingly enough, the Trojan performs the above set of actions in a routine of Android.Walkinwat called “LicenseCheck”, something traditionally used by legitimate apps for license management in conjunction with a Licensing Verification Library available for the Android platform to help prevent piracy. The authors of the malicious code have taken an extra step to make sure that their app was obfuscated, which is another recommended measure to prevent piracy.
Figure 4 – The LicensingService and LicenseCheck routines
The app concludes with a final message to the user, reminding them to check their phone bill, as well as providing an option of buying the legitimate version of the app from the Android App market.
Figure 5 – Final message displayed by the threat
Although this isn’t the first case of disciplinary justice being used as means to send a message against piracy, this is the first of its kind discovered on the mobile landscape.