What Do Battery Saver, Reception Improver, and Japanese Actress Video Apps Have in Common?

Back in April, Android.Dougalek (a.k.a. "the Movie" malware) made national headlines in Japan when a large group of malicious apps was discovered that steal users' contacts data. Obviously scammers were listening to the news as well. The idea of stealing information using Android apps caught on like a brush fire and, since this discovery of the "Movie" malware, Symantec has come across a handful of copy-cat apps using the same payload. They include malware such as Android.Uranico, Android.Ackposts, and Android.Maistealer.

Android.Ackposts stands out from the rest because scammers used spam email to lure users into downloading the malicious app. Other attackers have relied on users to find and download the apps through searches on the Internet or various app markets. Relying on search limits the target audience—where attacks using spam emails potentially affects a much larger audience because most smartphone users have email access on their device. All the scammers need is a list of email accounts to send the spam to. They have a long list if the many discussions taking place on the internet regarding this spam are any indication.

The scammers also are taking advantage of a weakness in smartphones that many users feel frustrated about: that is battery life of the device. The malicious app promises to extend battery life up to twice as long, which of course does not do. The social engineering trick combined with the spam email delivery method highlights the large pool of potential victims. And this caught the eyes of more scammers.

As I mentioned in the Android.Ackposts blog, we were not likely to see the last of these types of attack. Android.Ecobatry and Android.Sumzand have jumped on the spam bandwagon to produce similar intriguing emails to fool recipients into downloading the malicious apps. So far they have tricked users with a battery saver app, an eco-battery app, a solar battery-charger app, and a reception improvement app. One version of Android.Sumzand even pretends to be an app to view free video of the controversial Japanese actress, Erika Sawajiri who is starring in a newly released movie called "Helter Skelter". Understandably, most apps are aimed at fooling troubled users looking for some sort of assistance in improving the user experience of their mobile devices. However, we are likely to soon see a broader range of apps the malware will pretend to be.
 

 
Figure. Malicious app icons mentioned in this blog
 

The spam email addresses used to introduce these apps are sent from various domains. While domains can easily be filtered out, in most cases, by configuring the email settings on mobile devices, some emails are sent randomly using domains of actual phone carriers. Users cannot filter these domains effectively because use of carrier domain email is popular in Japan—filtering any of the carriers’ domains would mean filtering out many of a user's contacts, and the scammers know this.

We also see the volume of spam increasing along with the online discussions around this. Some people, out of the misguided belief the apps work, have actually included links to download the malware in postings on blogs and social networking services. So users not only need to watch out for the spam, they also need to be careful not to click on the links included in these type of postings.

The malware itself is not sophisticated, but there is every indication the scams are quite successful. The scammers rely on the malware to perform the simple task of stealing information from the device—accomplished by writing a short length of code. But the key component is the social engineering technique used to trick innocent users. Many users are not familiar with the consequences of owning a smartphone. The number of new smartphone users, however, continues to increase. So scammers are taking advantage of this situation.

We at Symantec want to spread the word out about the danger of these apps, and the consequences of installing them, to as many people possible. Help us reduce the number of victims by being alert to emails introducing apps, as well as postings on the internet. And use a security app. Symantec provides Symantec Mobile Security and Norton Mobile Security to help protect your device.