Android.Oneclickfraud Gang Arrested, but Sister Apps Alive and Active

As reported by various Japanese news agencies, the Tokyo Metropolitan Police Department recently arrested six men in connection with fraud for using a malicious Android app to scam victims into paying for adult-related video content. Details of the operation can be found in the blog I wrote in back in January. According to the local authorities, the group tricked a total of 9,252 users into installing the app hosted on a website called the “NEW” and conned 211 of them into paying a total of approximately 21 million Yen (approx. US$260,000). The group also extracted personally identifiable information (PII) from the phones and sent it to its server. Symantec detects this app as Android.Oneclickfraud. This is the very first arrest made in Japan that involves a smartphone app. We welcome this news and applaud the law enforcement for making the arrests.

Symantec has continued to monitor one-click fraud closely; both those aimed at computers as well as smartphones. While there are countless numbers of sites aimed at scamming computer users, there have only been a handful of sites designed for smartphones to date. Out of those, we are aware of at least two sites affiliated with the site operated by the arrested men, and they are up and running at the time of this writing. Site A began operation in February and site B in May. The site “NEW” started at the end of December and ran for only about a month before ceasing the scam at the end of January.

Figure 1. Site A (left) and site B (right)

These sites are affiliated in the sense that they host the same web application to deliver almost identical malicious Android apps. They share the same source code, but are customized for each site. Below is an excerpt of an identical backup file saved on both servers. Notice the email address at the very end of the code. This is the address used by the predecessor back in January.


Figure 2. Screen shots of templates stored on both sites

These are just a few examples from a handful of codes and files that tie the three sites together. Therefore it is safe to assume that the sites are affiliated or related in one form or another.

The loosely guarded websites have allowed us to do the comparisons and to make the connections among the sites, but they are also insecure to the point where PII believed to be of the victims' is just laying around for anyone to see. In fact, the developer himself did not seem to care about protecting his own data, as details about him and his company—along with other sensitive information including account details—is inserted in the scripts used in the Web application. Interestingly, some of the details in the code even lead to his Facebook account.

It did not come as a surprise when I found out that one of the men arrested by police was Hiroki Koyama, as it is his details that I found in files on the sites. But it was surprising to see the two sister sites were still up and running after the arrest. I had originally thought it was the same group of operators jumping from domain to domain as they were being shut down for their malicious activities. I did not realize there could be multiple parties involved. You can see below that someone is still maintaining them as the last modified dates of some of the files were after the arrests were made on June 13. 

Figure 3. Last modified dates of files found in site A (left) and site B (right)

So who are these new operators? That, I don’t know. But I do have some statistics that allow us to understand how much of an impact they are potentially causing as compared to their predecessors. I cannot confirm the authenticity of the data but, using what I gathered from the sites, the total number of registrations appears to be around 48,000 and 8,000 respectively.  This does not only include the number of installations, but also registrations processed with the click of a link for non-Android smartphones users as well as computer users. Though the number of installations and registrations seems high, analysis of the available data shows that the gangs do not seem to be as successful in getting registered users to pay up. One part of the data also indicates that perhaps only a couple thousand actually had their PII captured (out of tens of thousands of users affected). But, since the fee per registration is so high for this scam, it does not require a high volume of victims to pay the fee for the operators to do well. The price that the gang charges is 99,800 Yen (approx. US$1,200) if paid within three days after the registration. After that, the fee rises to 300,000 Yen (approx. US$3,800). Note that payment is made by bank transfer. 

Figure 4. Number of registrations per day

So, with the arrest of the gang operating Android.Oneclickfraud I am hopeful that their sister sites will be taken down soon, with more arrests to follow. However, at the time of writing they show no sign of letting up.

Symantec Safeweb technology is blocking the sites hosting the apps. I also suggest that if you have not installed a security app on your mobile device yet—do so now. Symantec offers an excellent app called Norton Mobile Security.