“The Movie” Malware Steals Personal Information from Japanese Android Users

Over the past week or so, there has been an ongoing discussion on the Internet about some Android applications that looked suspicious. Most of the apps were supposedly designed to mimic popular games in Japan or play a video in relation to the game. However, users who installed the apps questioned their legitimacy.

Symantec has so far identified 29 apps belonging to seven developers with these characteristics and has confirmed they are malicious. The apps share common programming code so we can assume it is a sole individual or an organization who is committing the crime. The very first app we confirmed appeared on Google Play around February 10 and more followed until late March. Originally the apps posted were not game related, but were random ones including apps of an erotic nature, a contact management app, a recipe app, and a diet assistant app to name a few. But the number of downloads were low. Then in late March, a bunch of apps with names ending in “the Movie” were released. These apps caught the attention of a large number of users who installed them.   

The total number of installations is up to at least 70,000, but could potentially be as high as 300,000. The number of infected devices is unclear since a user could have multiple installations, but I would estimate the figure to be in the same range as the number of installations. Not only are users whose device has been infected victims, but the people in the Contacts are also victims seeing as their information is stolen. According to a survey conducted by NTT Advertising in October 2010, the number of contacts for mobile users in their 20s averages 74.8 while users in their 30s average 51.6. This could mean that potentially millions of people may be affected.

These apps request three permissions as shown in the screenshot below. The description of many of the apps makes it sound like network access is necessary. However, they should not need to read personal data or the phone identity.

 

For some reason, the names of the apps on the mobile device do not match the names of the apps shown on Google Play. For example, one of apps appears as follows on Google Play.

 

When it’s actually installed, the icon and the name of the app are as shown below. This is another indication that something suspicious is going on.

 

If these apps are installed and opened, they connect to an external server prepared by the scammers to download MP4 files to play videos. However, in the background, the phone number of the device as well as details including name, phone number, and email address of individuals in the phone’s Contacts are exfiltrated to the same server as well. The apps are able to send the information because permissions were given at the time of installation.

The purpose of this attack is not clear; however, a strong assumption is that the scammers are harvesting emails addresses and phone numbers to use for their next round of malicious activities, such as spamming scams by email or calling individuals to attempt to defraud them. So the information could be sold to criminal groups.

For those with devices that may be infected, you can check the list below to see if any of them is installed on your device. These are only apps that Symantec has confirmed and the list may not be comprehensive. The names in the left column are the names shown on the Android device while the names on the right column are the names shown in Google Play. Some apps have multiple names in Google Play. All apps appear to have been taken down and are currently unavailable on Google Play.

 

The screenshot below shows examples of how some of the icons look on the device. If you see any of them, you should delete them.

 

You can also use Norton Mobile Security to disinfect your phone. Symantec detects these apps as Android.Dougalek. The product will detect all apps listed above as well as apps with identical traits that we have not come across yet.

It is interesting to note that these apps post the personal data to a hosting server known to distribute Android.Oneclickfraud variants. The information that Android.Oneclickfraud attempts to steal is also exfiltrated to the same server. Could it be a coincidence here or is there some relationship between the two malware? According to Yomiuri Online, the Tokyo Metropolitan Police Department has begun investigating this incident and is attempting to track down the Android.Dougalek developers. We’ll continue looking into this and will update this blog accordingly. Please stay tuned.