In October 2012, the Tokyo Metropolitan Police arrested a group of five individuals for their involvement in developing and distributing Android malware that collected personal data, but that did not deter at least one group of scammers from doing the same as they continued to lure Android device owners to their malware. The Tokyo District Public Prosecutors Office then dismissed the case in December last year because it was unable to find enough evidence to prove that the five suspects were committing a crime. The dismissal has now led to the creation of yet another Android malware targeting Japanese Android device owners.
Symantec has identified new malware, which we detect as Android.Exprespam that collects personal data, such as the device owner’s phone number as well as names and email addresses, stored in Contacts on the compromised device. Like previously discovered malware, such as Android.Enesoluty, which, by the way, is still active, emails are spammed with links to fake Google Play pages, which are hosted on a server located in Washington State in the United States. It is worth noting that the site actually calls itself Gcogle Play. The domain for the website was registered on December 27 and the malicious APK file contains a signature valid from January 2.
We have confirmed nine different app pages on this site, although the downloaded app is the same in each case. A couple of the fake app pages resemble the type of fake tools used by older malware, but most are new types of fake tools. The scammers have made available a variety of apps in the hope that it increases the chances of the apps being installed. This is a distinct ramping up of activities as older malware masqueraded at most as three apps on a site simultaneously.
Figure 1. Screenshots of the app pages taken from fake Google Play site
The installation screen displays the permissions that the malware requests, which are typical of recent malware targeting Android users in Japan. The permissions include access to personal information, reading the phone state and identity, and account information, but similar legitimate apps generally do not request these permissions.
Figure 2. Permissions that Android.Exprespam requests
Once installed and opened, the malware informs the user that the app is incompatible with the device. However, personal data is sent surreptitiously to a server.
Figure 3. The malware first displays a message that it is initializing and then states that it is not compatible with the device.
If for some reason the network connection is down, it will display an error message.
Figure 4. Error message stating that initialization has failed.
What is different about this malware from previous malware is that it uses Secure Sockets Layer (SSL) protocol to upload the information that it steals. This means that the collected data is encrypted when it is uploaded. So why would the creators go out of their way to do encrypt the stolen information? It is only speculation on my part but perhaps it may be in order to make it look like they were taking measures to protect the collected data in the same manner as a responsible business. It is possible that the malware author(s) may use this in their defense if they are ever arrested.
Figure 5. Code showing usage of SSL protocol to upload the stolen information.
How much information will have to be stolen by scammers before someone can put a stop to this type of malicious act? The law may not be able to stop it, at least for now, so it is up to individual Android device owners to protect their information as well as their friends’ and family’s information. Think twice before clicking on links you may receive in emails from unknown sources trying to persuade you to download apps. In fact, it would be best to not open emails from any unknown sender. Also download apps from well-known and trusted app vendors. Lastly, install a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. For general safety tips for smartphones and tablets, please visit our Mobile Security website.