Malicious Dating, Ad Services Plague Japanese Users

In a previous blog McAfee Mobile Research reported on fraudulent adult dating-service applications on Google Play that target Japanese users. Many other suspicious applications are spreading on Google Play in Japan, and try to lure users to similar fraudulent sites.

These suspicious applications have appeared on Google Play since May. They offer adult or nonadult image viewers, article collection sites (known as a matome site in Japan), viewers for a well-known online BBS, information for popular games, silent cameras, and others, as well as the previously mentioned bogus dating services.

 

gp-bad-push-1

Suspicious apps include a BBS article-collection services and a silent camera app.

 

gp-bad-push-2

Suspicious information apps for a popular game.

Once a user installs one of these applications, its background service using server-to-device push notification mechanism (Google Cloud Messaging) is registered and started. Through this mechanism, the application developer can send any information to the device at any time, and the corresponding background service can run its code in response to the notification. This background processing can occur even when the application itself is not running.

The push notification mechanism is generally used by, for example, a major mobile advertisement network targeted at Android devices in its SDK, and by this any advertisement can be displayed on the devices’ system notification area. By incorporating this ad module, developers can get revenues once the ads are displayed or users buy the advertised services.

By investigating the message contents sent by push notification and displayed on the notification area, we can see that in some cases these suspicious applications are receiving and displaying links to the previously mentioned malicious dating-service sites. Other notifications display links to other applications’ download pages on Google Play, probably to gather affiliate revenues. Nonetheless, these applications are risky or even malicious because they try to send users to fraudulent websites.

 

gp-bad-push-3

gp-bad-push-4

gp-bad-push-5

Examples of ads via push notification sent from suspicious servers.

Push notifications of this sort are risky because a notification is sent without any prior explanation or an opportunity for users to reject the notifications at installation or the first launch of the application. Without these options, this type of notification can mislead users to unwanted or risky services.

We have found that Google Play has many applications containing this suspicious ad module and more of these apps are uploaded almost every day. We have confirmed about 350 of these applications in total, and more than 160 are still alive on Google Play. (Others have been deleted for some reason.) The total number of downloads of current apps is between 20,000 and 70,000, and would be much more than that if we include the deleted ones.

 

gp-bad-push-6

Examples of suspicious apps uploaded every day.

So far our investigation shows there is no publicly hosted service operating this advertising module. We believe that this module is not provided through any official ad network agency, but instead is privately operated by the application developers using their own server. Because of this arrangement, we consider this ad module a fake that imitates official modules provided by legitimate ad agencies.

A similar malware, Android/BadNews, targeted mainly at Russian speakers, also uses a fake ad network. This malware uses a module provided by a fake network and displays links to a malicious application that sends premium SMS without the user’s knowledge. In the case of Android/BadNews it appears the ad module was developed as a separate software module; in the case of the suspicious Japanese apps the module is embedded into the application.

Many apps containing this fake ad module are published on Google Play across multiple developer accounts. But we believe that all of them are created and published by a single developer or group of related developers, considering the similarities in their implementation code and the naming conventions used for the apps’ package names. Moreover, the developer(s) of these suspicious apps also publish many fraudulent adult dating-service apps. So we can conclude this developer operates with malicious intent, trying to capture users by embedding this risky ad module into many apps under various genres on Google Play.

 

gp-bad-push-7

Fraudulent dating-service apps published by the same developers.

McAfee Mobile Security detects these applications with the fake ad module as Android/BadPush.A.