Digging Deeper Into ANDROIDOS_CONTACTS.E’s Data Stealing Routines

My previous post discussed how certain spam messages can lead to the downloading of malicious apps detected as ANDROIDOS_CONTACTS.E. This time around, we focused on the app’s routines and how the people behind this threat possibly profit.

My analysis focused particularly on the app “Solar Change”. This Android app (detected as ANDROIDOS_CONTACTS.E) was found to gather contact information such as email address from the infected device. The perpetrators behind apps may then peddle these gathered data to potential attackers and spammers.

When users install the app, it shows the list of permissions that it requests. However, a closer look into these permissions reveal that the app also request for the contact details and list of accounts stored in the device.

Permissions Functions
android.permission.READ_CONTACTS Allows appl to read the user’s contacts data
android.permission.BATTERY_STATS Allows app to collect battery statistics
android.permission.INTERNET Allows app to open network sockets
android.permission.READ_PHONE_STATE Allows read only access to phone state
android.permission.GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service

Unfortunately, allowing such permissions may give other parties access to specific details, which they may distribute to potential spammers.

Aside from “Solar Charge” requesting for access to device information such as contact information and account service, the app itself doesn’t work. Instead, the app only displays the message “Charging” and pretends to charge using solar light. While supposedly charging, another message appears stating that the app “is not available for your device”.

During this “charging state”, the app is actually attempting to steal contact details and Gmail accounts from the device and send these to a specific remote server.

In our analysis of the app’s code, we found some codes responsible for stealing personal information such as contacts and email address.

The screenshot above shows the contents of the communication between Solar Charge and the remote server. We can see that the app attempted to send telephone numbers to the address “myid=080{BLOCKED}”. After the parameter “frdata=”, we also notice that information gathered from the device’s contact details are URL encoded

Based on our decoding, we found that the app attempts to send details such as name, phone numbers and email address to a specific remote server.

Here are the list of servers where malicious apps detected ANDROIDOS_CONTACTS send to their different servers by HTTP communications.

The people behind this app may have used servers located on different countries to possibly to avoid identification. In addition, they can quickly replace a server if one is blocked.

Mobile Address Sold From .14 Yen – 1.5 Yen each

The big question now is, why do these spammers keep stealing contacts using by malicious apps? We can cite two reasons for this: they can use these stolen accounts as part of their spam distribution list. Also, they can sell these stolen data to other groups, which prefer “fresh” accounts for their own businesses such as dating site etc. These accounts are sold in lots, with each lot having in tens of thousands of stolen account information. Prices for each stolen account are from .14 Yen to 1.5 Yen.

Trend Micro users need not worry as Trend Micro Mobile Security detects these apps as ANDROIDOS_CONTACTS.E. As a precaution, users should always scrutinize the permissions they give to the apps they install since this may lead to unwanted device information disclosure to certain parties. To know more about how to keep your mobile device data protected, you may refer to our Digital Life e-Guides below:


Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

Post from: TrendLabs | Malware Blog – by Trend Micro

Digging Deeper Into ANDROIDOS_CONTACTS.E’s Data Stealing Routines

Read more: Digging Deeper Into ANDROIDOS_CONTACTS.E’s Data Stealing Routines

Story added 19. September 2012, content source with full text you can find at link above.