Info-stealing Android Apps in Japan (Part 1)

Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some of these even introduce risks that users may not fully understand. In this series of blog posts, I will try to show how to evaluate the risks of these apps, focusing on the threats usually seen in Japan. In the first of the three blog entries,  I will examine the current situation of info-stealing apps targeting Japanese users.

What is an “Ego App”?

Some apps have unwanted routines which we consider high-risk; for example some violate the user’s privacy by accessing the user’s personal information. Frequently, this is done by apps which display ads (i.e., adware). (In Japanese English, these are referred to as “ego apps.”) Examples of routines that may cause an app to be classified as such include:

  • Consuming system resources
  • Displaying pop-up advertising
  • Violating the user’s privacy

Users who continue to use these apps may encounter unexpected behavior, and may suffer problems without any notice. These apps have both been getting plenty of attention lately.  We will discuss the case of aggressive mobile adware in part 2 of this series of blog posts.

Law enforcement actions

On October 30, 2012, several police agencies in Japan arrested a number of suspects for violating the newly implemented cybercrime law. The Japan National Police Agency announced the arrest of five suspects, including an IT company executive for creating malicious apps. (Trend Micro detects these as ANDROIDOS_DOUGALEK variants and are known as  ”the movie virus.”) In another case, the Kyoto Prefectural Police together with its Fushimi Police Station announced the arrest of one company executive who allegedly created the malicious apps Longer Battery Life, Signal Improvement, Sma Solar, Power Charge, or Solar Charge. We detect these as ANDROIDOS_CONTACTS variants.

In both of these incidents, the suspects targeted smartphone users in Japan. We hope that these arrests will act as an effective deterrent to these kind of cybercrimes. In this entry, I will look at the apps used in these attacks.

The apps detected as ANDROIDOS_DOUGALEK and ANDROIDOS_CONTACTS are installed by smartphone users due to their enticing names and descriptions. Some are named in Japanese as Video Reply, Battery Longevity or Solar Power Generation and the like. Users tend to install them expecting the functionality their names imply. These apps, however, could hardly deliver on their claims but instead execute their harmful routines.

In this information theft routine, the cybercriminals focus on the user’s phone book. The names, phone numbers, and email addresses of the people listed in the phone book were extracted and sent out to the external server. Because of this, the user information of the device’s owner and his/her friends and acquaintances are stolen by the attackers.

The screenshot below is the transmission that ANDROIDOS_CONTACTS sends the content of the phone book to the external server. As you can see, “myid=080 {masked}” means the phone number of the affected user and “090 {masked}” means the phone number registered in the “phone book” of the affected user’s device.

This threat is not limited to Japan. On October 26, 2012, the Korea Information Security Agency (KISA) also released an alert (in Korean) about fake anti-spam apps that steal mobile users’ information and send it to the external servers.

For feature phones, the security issues are generally limited to things such as losing the device itself, or perhaps to send spammed text messages. For smartphones, the security risk is greater as users can easily install various third-party apps, which may not be provided by the legitimate developers and telecommunication companies. The distribution channels of various third-party apps may be used by cybercriminals as well. Users should understand that the increased power of mobile devices also increases the risk.

Trend Micro products like Trend Micro Mobile Security (known as Virus Buster Mobile for Android in Japan) detect these mobile threats.

Aside from the above apps which are clearly fraudulent, there are also more subtle cases where smartphone users encountered certain privacy threats a bit differently. In such cases, while the “extracted” user information was considered as “necessary” to install the app, users may not have been fully informed of the privacy consequences.

In the next entry, I would like to show the risks of subtle information leaks triggered by these apps, which also targeted Japanese users using the phrase “for free.”

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Info-stealing Android Apps in Japan (Part 1)

Read more: Info-stealing Android Apps in Japan (Part 1)

Story added 19. November 2012, content source with full text you can find at link above.