Fortune Teller App Ripping-off Personal Data also Appeared on Google Play

We have recently encountered a fortune teller app that isn’t just trying to forecast the future; it is also stealing user information—and not to predict good fortune for the user. Last week, the Information-Technology Promotion Agency, Japan (IPA) issued a security warning about the discovery of yet another Japanese Android app that extracts personally identifiable information (PII). In April, at least 29 malicious apps (we have reasons to believe that the total number of apps could possibly be twice this) were discovered on Google Play. The malicious apps exported not only PII about the mobile device owner, but also the details of people listed in the phone’s contacts. You can read more about this information stealing in this Symantec blog.

Symantec has confirmed that the fortune teller app also performed the same information stealing as Android.Dougalek, aka “The movie” malware. Our products, such as Norton Mobile Security, detect the app as Android.Uranico. The IPA notes that the app was hosted on a certain website. A number of sites focused on introducing various Android apps appear to have published details about the malicious app on April 18. The app was available for download for little over a month before authorities had the download site taken down. Below is an example of one of the sites introducing the app.

Notice the download button at the bottom that states “Download from Google Play” in Japanese. The link directs the browser to a download page and not, in fact, to Google Play. The button is also used on all other app pages within the sites, even though many do not lead to Google Play. It may be a good idea to stay away from fishy sites such as this.

When I began investigating Android.Uranico, I originally assumed that someone had simply jumped on the bandwagon of stealing personal information from Android devices after news broke about “The movie” malware, as this particular app surfaced shortly afterwards. Furthermore, the PII that it steals is the same as the information stolen by its predecessor. After further investigation, however, Symantec has discovered that this app also appeared on Google Play. The app, along with another app published by the same developer, was published on Google Play on April 11 and 12. This is before the aforementioned sites published details about the app on their sites. These dates are actually around the time when online discussions about “The movie” apps being dodgy were first taking place.

So did the news about “The movie” malware encourage the development of Android.Uranico? The codes of the two malware are different from each other, so they may have been developed by different developers. However, it is still possible that the apps could have originated from the same organization or from folks in the same Internet fraud industry. Furthermore, it's possible that the authors may be sharing information about their latest strategies and tactics as well as trading stolen information. I like to think that there is something related here and that someone didn’t just copycat “The movie” malware when news broke out. I don’t believe it was just coincidence that both of these malicious apps happened to exist independently.

The apps are currently unavailable from both Google Play and the download website, but for those of you that may have installed them, you can examine some of the details below. Note that the app, KoibitoSagashi, is not considered to be malware, but could potentially lead to some sort of unwanted experience as a result of using it. In my investigation, a link in the app opened up an adult-themed site in the browser and clicking on some links ultimately led to a one-click fraud site.

Google Play
Developer: nakamuraGT

Icon on Google Play

Icon on mobile device

App name on Google Play

App name on the mobile device

Number of installs

Release date

即エロ完全サポートマニュアル

KoibitoSagashi

100-500

April 11, 2012

スピリチュアル診断オーラの湖

占いアプリオーラの湖

1000-5000

April 12, 2012

 

Website

Icon on websites

Icon on mobile device

App name on websites

App name on the mobile device

Number of installs

Approximate release date

スピリチュアル診断オーラの湖

占いアプリオーラの湖

Unknown

April 18, 2012

 

The number of estimated installations of Android.Uranico is in the thousands, which is much lower than “The movie” malware. However, just like Android.Dougalek, the people affected by this threat also include the contacts in the device as their PII may also have been stolen. Therefore, this could mean that the tens of thousands or even over a hundred thousand people are affected.

There are certainly possibilities of similar apps still being out there that we have yet to discover. So when installing an app, be sure to be aware of what the app is and understand what sort of actions it should perform. Then compare them to the permissions requested by the app during the installation. Confirm that the permissions actually make sense. For the fortune teller app, users should be suspicious of why it wants to know where they are or why it requires access to contact details, for example.