Android.Oneclickfraud Sister Scams Continue to Have Success

As it has been a little over a month since I blogged about the arrest of the Android.Oneclickfraud gang and how the sister apps were still alive. I wanted to take some time to give you an update on the recent activities involving the two sister apps. Unfortunately, the two sites hosting the apps are still healthy and active. The gangs maintaining the sites reacted quickly to the publication of the blog last month by fixing the security issues on the websites, although some holes still remain. Interestingly, one site is more secure than the other, which leads me to believe that separate administrators are maintaining the sites. In fact, the sites may well be operated by two different groups.

The groups also appear to have been scrambling to update their sites in various ways, possibly to avoid prosecution, as there have been a number of notable activities taking place during the past month. Let me highlight a few of the major changes.

Besides the security fix, site A has changed its name from Erotte Iitomo [エロっていいとも] to Erovia no Izumi [エロビアの泉].

Figure 1. Old title for site A

Figure 2. New title for site A

The URL as well as the content remains the same, however. This particular site has received the most attention, so maybe the gang thought it was time for a name change.

Site B at one point changed the text on the button (used to download the app) from “download” to “99,800 yen” in an attempt to make the site look like a legitimate service.

It is currently not distributing malware as far as we know, but is relying on a simple trick of displaying a completed registration page with details that include the user’s IP address, browser, and hardware model, which are then used to scare the user into making payment. This type of scam is apparently successful because there are quite a few of these sites on the Internet at the moment, and there are many victims asking for advice on how to deal with the scam. Site A also dropped the app in favor of this type of scam for a certain period as well, but has since returned to distributing the app.

It is worth noting that the changes I am referring to here are applicable solely to the Android devices visiting the sites; both sites have been using the simple trick of displaying a completed registration page to target non-Android devices from the start, and still do so today.

The two sites have also intermittently been either offline or had been broken links preventing the scam from succeeding. The owners are carelessly updating the site, which causes a lot of downtime. For some reason the last modified dates of the existing files on site A have changed from older dates to July 14. This probably means that there is some sort of major maintenance or updates taking place on the website.

Despite all this, the actions taken by the gangs might have actually boosted profitability for them. On site A, we are still able to check the number of registrations taking place and the figure indicates an upward trend, although I cannot validate how accurate the figure is.

Figure 3. Registrations per day on site A

If this figure is accurate, then it means the total number of registrations surprisingly increased by approximately 60 percent in just the last month.

Symantec has made attempts through various channels to shut down the sites, but we have unfortunately been unsuccessful so far. This may be due to the fact that it can be difficult to determine whether one-click frauds are illegal or not. They are borderline operations that use tricks to lure users into registering. It is disappointing that there is not a more effective framework for putting sites like these out of action. We can only hope that word gets out to enough users about these sites so that they can avoid getting scammed. Hopefully, in the near future, entities such as the service providers, security organizations, as well as the authorities can work together more efficiently to shut these types of sites down.

Although a lot of attention has been focused on these sites due to arrests, users also need to be aware that there are other sites distributing similar malicious apps, such as the Eroid site (エロイド).

Figure 4. Top page of Eroid

This particular app uses an icon almost identical to the pre-installed Downloads manager app to disguise itself. If anyone sees two icons like this on their Android device, there may be something suspicious going on.

Figure 5. Downloads app icon on left, and malware icon on right

Symantec considers these apps to be malicious and users of our mobile products are protected against the apps, which are detected as Android.Oneclickfraud. Users need to be wary when installing apps: it is often safer to stick with well known and trusted app markets to download from. I also recommend using a security app, such as Norton Mobile Security, to help protect your device.