One-Click Fraud Variant on Google Play in Japan Steals User Data

Last week McAfee Labs reported a series of “one-click fraud” malware on Google Play in Japan. We have been monitoring this fraudulent activity and have found more than 120 additional variants on Google Play since the previous report. The malicious developers upload five or six applications per account using three to five accounts every night, even though almost all of the applications are quickly deleted from Google Play. In some cases the fraudsters upload the applications with few or no modifications to the previous ones, and in other cases they substantially modify images and descriptions. But the final behavior is always the same.

Most of the variants of this malware have the same functionality, with only slight differences in their implementation code. They simply show the fraudulent web pages on the in-application web component or the device’s browser.

McAfee has also found a variant of this family of malware with more dangerous features. This variant retrieves the device user’s Google account name–the email address–as well as the phone number, and sends the information to the attacker’s remote server.

 

Fig.1 Application description page on Google Play

The application description page on Google Play.

 

This application, tv.maniax.p_urapane1, is a 16-piece slider-puzzle game consisting of pornographic images. It also plays movie files when the user completes the game.

Unlike previous variants from this family of fraudulent malware, this application requires several permissions at installation that are usually unnecessary for this type of game:

  • android.permission.READ_PHONE_STATE
  • android.permission.GET_ACCOUNTS

 

Fig.2 List of required permissions

The malware’s list of required permissions.

 

Behind the scenes, the malware retrieves the user’s data using these permissions and sends it to a remote server by opening the URL http://man****app.com/m/users/aftpur/GOOGLE_ACCOUNT_NAME/PHONE_NUMBER. It stores the data in a MySQL database server using the Java Database Connectivity API in a database-driver library in the application.

 

Fig.3  Application screens

Malware application screens.

 

Fig.4 Google account name and phone number data sent on network

Google account name and phone number data sent to the attacker’s server.

 

This application also displays some “advertisement” links at the bottom of the screen. The application’s description page on Google Play says that the developer does not guarantee the safety of these linked advertisements, implying that they are not aware of the contents of the ads. In fact, however, the application simply displays the image files bundled in the application package and invokes the browser with the hard-coded URL http://pr**.*obi/?neosp_nontop_eropne01, which is the fraudulent web page often used in other variants of this one-click-fraud family of malware.

 

Fig.5 Fraudulent Web pages

Fraudulent web pages.

 

The stolen Google account name and phone number are not directly used in the fraudulent page opened from this application. However, we expect the attacker will try to use this information for future malicious activities.

Fortunately, this application was deleted from Google Play within a day after it was added, and so the number of victims should be small. But the appearance of this variant indicates that the attackers are determined to collect personal information from their victims and that they are capable of developing variants with more advanced features than previous ones.

McAfee Mobile Security detects this application as Android/OneClickFraud, and will continue to monitor for more fraudulent activities from this family in Japan.