The authors of Android.Enesoluty have added another app to their repertoire. The new app is called “Safe Virus Scan” in Japanese, and as the name suggests, it is supposed to function as an antivirus app. However, as you might have guessed, it does not contain any antivirus functionality and the only action it performs is to steal personal data.
Previous variants displayed messages stating that the app was incompatible with the device. However, unlike its predecessors, this app appears as though it actually functions as advertised.
Figure 1. Fake scan run by malicious app
By the time the scan is complete, the app has uploaded all contact data that is stored on the device to an external site. The app is actually quite convincing and it is difficult to identify anything suspicious about it.
As we have seen in similar cases, the app is downloaded by following a link in a spam email that leads to a third-party hosting site.
Figure 2. Site hosting the malicious app
This is a popular method used by scammers to steal contact data in Japan. Some of the spam focuses on introducing apps throughout the whole email, while others only make a small note of the app in an otherwise unrelated email. Some mention that the sender has changed email addresses so that the recipient does not feel suspicious about the email being sent from an unknown address.
Another tactic used recently by these scammers is to create fake Google Play pages to host the apps.
Figure 3. Examples of fake Google Play pages
If you happen to stumble upon these types of tricks, such as emails from unknown senders providing links to download apps, I would advise you to avoid downloading the app involved. To help protect your device, you can install security apps such as Symantec Mobile Security and Norton Mobile Security.