Android Malware Continues to Thrive in Japan

2012 will be remembered as the year in which Android malware spread widely in Japan and may also be known as the year when some of the developers of the malware escaped punishment for performing the malicious activities.

On October 30, the Tokyo Metropolitan Police arrested a group of five individuals for their involvement in developing and distributing Android.Dougalek. Their goal was to collect personal information stored on Android devices. Coincidently, the Kyoto Prefectural Police also arrested two men on the same day, and then two more at a later date, for the development and distribution of Android.Ackposts, which was also used to steal personal information. Symantec welcomes this news and applauds the police for their efforts.

Symantec was able to assist the Tokyo Metropolitan Police in its case by providing the details of the Android.Dougalek variants that we had knowledge of. The information was used as part of the evidence that helped lead to the arrest of the suspects. However, the group of five suspects was later released without prosecution because the prosecutor’s office determined that there was a lack of evidence to prove that a crime had taken place. According to media reports, the defendants argued that the permissions required by the apps were clearly stated during installation. As you can see below, the app asks for permission to “read contact data” and hence uploading contact details was not considered to be an illegal activity in this case.
 

Figure 1. Android.Dougalek permissions
 

On devices running Android 4.2, permissions have been organized into groups so they can be more easily understood by users and during permissions review users can click on the permission to see more detailed information about the permission. The reality is that such permissions are rarely read or understood by the average user. Symantec’s security products for mobile devices alert users to these apps to provide better information on the behavior of the apps.

It’s worth noting that at the time of writing, the developers of Android.Ackposts have yet to be prosecuted:

Android.Dougalek
*90,000 installs
*10 million PII leaked
Source The Daily Yomiuri

Android.Ackposts
*10,000 installs
*4 million PII leaked
Source: The Mainichi

The outcome of the case did not make any difference to at least one other particular group of scammers committing similar malicious acts. Even since the arrests the group has persisted in spamming out emails that attempt to lure recipients into downloading malware. The group is responsible for Android.Enesoluty, which has not only continued to send spam, but has also continued to aggressively register more domains and set them up to host the malicious apps. Emails are being sent with sender names like “Android App Magazine” and “Smart Magazine” to make the emails appear as though they have been sent by legitimate newsletters. Interestingly, the spamming primarily occurs from the afternoon until early in the morning (Japan Standard Time).

Currently, we can confirm that Android.Enesoluty can be downloaded from the pages displayed in Figure 2 on a number of domains. The pages introduce a variety of topics, including tools to improve battery life or phone reception, an antivirus app, a video app to view an undisclosed footage of a famous Japanese idol group, an adult-related video downloader app, and an entertainment app for a popular anime character.
 

Figure 2. Fake Google Play app pages
 

Once the apps are installed and launched, contact details are uploaded to the specified servers. What’s worse is that the scammers are sending large amounts of various spam to the acquired email accounts including spam such as a blank email (perhaps used to check if the account is actually active), an email advertising Viagra (which isn’t very common in Japan), an email pretending be from a manager of a famous celebrity asking the recipient to become a friend of the client (but this email only leads the recipient to a dating service website), and an email introducing the malicious apps.
 

    

Figure 3. Viagra advertisement
 

Figure 4. Celebrity manager spam email
 

Unfortunately, Android.Enesoluty may not be the only active malware circulating in Japan. Although we cannot confirm any recent spamming activity by these malicious programs, sites hosting malware such as Android.Loozfon and Android.Ecobatry are still accessible. On the other hand, Android.Sumzand, the most prevalent Android malware that spreads through email, has gone quiet for some unknown reason.

If you happen to receive emails from an unknown source trying to persuade you to download an app, think twice before clicking on the links included in the emails. I would even avoid opening up the email if possible. To be on the safe side, I recommend that you download your apps from well-known and trusted app vendors, and installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your phone.