17 Bad Mobile Apps Still Up, 700,000+ Downloads So Far

We’ve reported previously that malicious apps were discovered in the official Android app store, which is now known as Google Play. While those reported apps were removed, more malicious apps have been seen in the official marketplace and appear to be still victimizing users. This is just one of the important reasons why we feel that a technology like our Trend Micro Mobile App Reputation is crucial in users’ overall mobile experience and security.

In total, we have discovered 17 malicious mobile apps still freely downloadable from Google Play: 10 apps using AirPush to potentially deliver annoying and obtrusive ads to users and 6 apps that contain Plankton malware code.

Application Name	Package Name	App Developer	Brief Behavior Description
Spy Phone PRO+	com.spinXbackup.backupApp	Krishan	Sends out GPS location, SMS and call log
微笑的小工具	com.antonio.smiley.free	Antonio Tonev	Connects to C&C server and waits for the command
應用程序貨架	com.antonio.wardrobe.apps.lite	Antonio Tonev	Connects to C&C server and waits for the command
小兔子射氣球	com.christmasgame.balloon	Ogre Games	Connects to C&C server and waits for the command
阿維亞拼圖	com.macte.JigsawPuzzle.Aviation	Macte! Labs	Connects to C&C server and waits for the command
山拼圖	com.macte.JigsawPuzzle.Hills	Macte! Labs	Connects to C&C server and waits for the command
食品謎	com.macte.JigsawPuzzle.Food	Macte! Labs	Connects to C&C server and waits for the command
NBA SQUADRE PUZZLE GAME	com.bestpuzzlesgames.NBA1	Crisver	Pushes applications and advertisements to user
NFL Puzzle Game	com.bestpuzzlesgames.nfl	Crisver	Pushes applications and advertisements to user
本機拼圖	com.macte.JigsawPuzzle.Indians	Macte! Labs	Pushes applications and advertisements to user
拼圖：紐約	com.macte.JigsawPuzzle.NewYorkCity	Macte! Labs	Pushes applications and advertisements to user
Cricket World Cup and Teams	com.bestpuzzlesgames.cricket	Crisver	Pushes applications and advertisements to user
怪物3D	com.killu.m3d	Killugames	Pushes applications and advertisements to user
最佳設計的鞋子	com.killu.bds	Killugames	Pushes applications and advertisements to user
爆轉陀螺益智	com.manic.bb	Manic Puzzles	Push applications and advertisements to user
芭比好萊塢之謎	com.espu.bho	Puzzles	Push applications and advertisements to user
芭比娃娃夢幻之謎	com.espu.bafa	Puzzles	Push applications and advertisements to user

Among them, one app which explicitly describes itself as a spying app has also been flagged as a threat by Trend Micro due to its potential for misuse. This particular threat is known as ANDROIDOS_PDASPY.A. Its Google Play page makes it clear what its purpose is:

The attacker must initially install and set up this particular app onto the target phone, as can be seen in the following screenshots:

Its capabilities include tracking a phone’s location, phone calls, and messages. Once the attacker presses the “Save & Start” button, the attacker can then track the device via the website given:

Most of these apps have been downloaded several thousand times. The above PDASpy app appears to have been downloaded more than 100,000 times. Collectively, the detected apps have been downloaded more than 700,000 times. Users not running any mobile security app may be victimized by annoying ads (AirPush) or the apps’ (Plankton) malicious connections to remote C&Cs.

We discovered these apps as part of our Mobile App Reputation (MAR) efforts. We continuously monitor both official and third-party app stores for both newly uploaded and popular apps and check for the behavior of these apps. We look not just for malicious behavior, but also bandwidth-consuming and battery-consuming routines.

Trend Micro Mobile Security Personal Edition is capable of detecting the threats we mentioned above.