Anaru Malware Now Live and Ready to Steal

Recently, I blogged about a famous Anime character named Anaru who was being used to steal contact details from Android devices. At the time of investigation, the app appeared to be in a testing phase, with the possibility that it might have been created for fun. However, the app’s creators now appear to have moved to the next level and are now actively enticing Android device owners to install the app.

The Anaru malware, which Symantec detects as Android.Maistealer, is now hosted on multiple, dedicated websites that resemble Google Play. The app is not available on Google Play, as far as I am aware of, and is only available on these dedicated websites.
 


 

The app has not changed since the last time I wrote about it. When the app is downloaded and installed it works as advertised; it allows a user to use the touch screen to manipulate the character's body. A user would not have any reason to suspect that personal data had been stolen unless the user paid close attention to the installation screen. By installing the app, the user gives permission for it to read contact data, a functionality that should not be required for this type of app.
 

  

Figure 1. Installation screen and app screen
 

The malware authors now have a dedicated website to distribute their Anaru app, but this is not their only method of getting onto a user device. The same group has also created a fake battery saver app called EnergyHelper1, which Symantec detects as Android.Enesoluty. It is advertised using spam written in Japanese, as shown in Figure 2. It attempts to entice Android device owners, who are dissatisfied about the short battery life of their device, to download the app.
 

  

Figure 2. Spam examples
 

Users are tricked into believing that the malicious app is a handy utility that saves battery life or charges the battery by turning the screen into a solar panel. These types of apps have become very popular among Japanese scammers. Malware like Android.Ackposts, Android.Ecobatry, and Android.Sumzand all use this strategy. Once the user clicks on the link included in the body of one of the emails, they are taken to a page similar to the one the Anaru app is hosted on; this is another fake app market.
 

Figure 3. Fake battery saving app

Once the app is downloaded and installed, it appears to run before stating that it is incompatible with the device. This is an attempt to get the user to give up using the app, but the contact details stored on the device have already been collected and uploaded to a remote location.

     

Figure 4.  Device incompatible error message
 

We now know that this criminal group was not just playing around with the Anaru app in July. They have been busy developing another app, as well as setting up dedicated sites to imitate legitimate app markets.

Symantec recommends users always follow security best practices and be cautious of suspicious emails—particularly unsolicited emails from unknown individuals advertising Android apps.  When downloading apps, users are advised to visit established and trusted app markets. To further protect your device, Symantec recommends using a security app, such as Symantec Mobile Security and Norton Mobile Security.