Miracle Battery-Saver App Harvests Email Addresses for Spamming

An issue that many smartphone users have with their phones is that their device battery just does not last long enough; it needs to be recharged. While the battery may last a whole day for some, power users who use their phone more often have to come up with various tricks to get their battery to last a full day. There are many ways to reduce battery use and, of course, there are many apps to help maximize battery performance. These do help—but for many it does not solve the issue.

So what if, one day, you find out about a special app that can reduce battery use by half? Exactly. This is the strategy being used to deceive innocent Android users into installing an app that is supposed to reduce battery use, but in reality does nothing but steal the user's contacts data stored on the device.

Recently, Japanese spam email has been circulating attempting to lure users into clicking on a link which downloads and installs a malicious app. The app can exfiltrate personal details stored in the user's contacts data (name, phone number, email address, and more) to an external website. The app performs no actions to save battery power.

This malicious app only requests two permissions when it installs. The developer may have limited the required permissions as much as possible to avoid suspicion. The first permission asks to read the user's contacts data (in order to acquire the personal data) and the second permission asks to access the Internet (in order to upload the personal data).
 

Figure 1. Permission request
 

Once the app is installed and launched, a setup screen appears for a second then a message is displayed stating that the device does not support this app. However, in the background the app steals the user's contacts data.
 

Figure 2. Setup screen
 

Figure 3. Message stating device is not supported
 

The developers of this malicious app are most likely trying to harvest email addresses so that spam can be sent to them as well. By tracing the spam message back to the sender, we can confirm that these criminals are also operating various social networking and dating sites already notorious for sending spam, and they own many domain names associated with well-known brands. All these components together will likely be used in various ways to scam users.

Symantec detects this malicious app as Android.Ackposts. We have recently observed several other malicious apps—variously detected by Symantec as Android.Dougalek, Android.Uranico, and FindandCall—that attempt to steal a user's contacts data. Spam and Android malware continue to threaten users, so stick with well known and trusted app markets and be wary when installing apps that require read access to your contacts data.