It was only a few weeks ago that concerns were raised about the lack of restrictions on photo access on the Android platform. That is, no permissions were required to read an image file, which could lead to privacy leaks from unwitting users installing apps with malicious intent. It seems that a new variant of Android.Oneclickfraud identified in the wild proves that these concerns should not be underestimated.
As previously described, this type of fraud is an extortion scam that uses pornography to lure users into downloading a smart phone app. Once installed, the app harvests personal information and then opens a Web page. This page displays a fake registration, containing the harvested personal information, and then demands payment. If payment is not received, the page threatens to track the user down using the information that has been collected. The attacker’s hope is that victims will pay up out of feelings of shame for clicking the link, given the pornographic nature of the material.
Figure 1. Outgoing traffic details
Previous versions of Android.Onclickfraud were known to relay back a number of personal details. These include the device ID (a unique ID that identifies each Android device), GPS coordinates, the telephone number and the email accounts associated with the device. Such personal information gives the scammers the ability to create elaborate intimidation schemes.
Figure 2. Example of a victim reaching out for advice
The latest version of Android.Oneclickfraud takes these scare tactics one step further: it has the ability to upload images. It does this by taking advantage of the fact that the Android OS, by design, does not require apps to have any special permission to read images from a device. This, combined with additional permissions such Internet access, allows images to be remotely transmitted.
Figure 3. Upload routine
It appears the site the images were being transmitted to is currently offline, but based on our previous experience with Android.Oneclickfraud, we speculate that the images would be used as a component in creating more elaborate extortion tactics. For your security, applications not found on reputable locations should not be installed.