Android.Exprespam Potentially Infects Thousands of Devices

Android.Exprespam was discovered at the beginning of January and has only been around for about two weeks, but the scammers seem to be having a lot of success with the malware already.  Symantec has acquired some data that has allowed us to get an idea of how successful Exprespam may be in scamming Android users into providing personal data. The data obtained, which is only a portion of the complete data, indicates that the fake market called Android Express’s Play has drawn well over 3,000 visits in a period of a week from January 13 to January 20.

Based on several sources*, I calculated that the scammers may have stolen between 75,000 and 450,000 pieces of personal information.

Figure 1. Potential amount of stolen information

The scam has only been around for about two weeks so I am sure that this is just the beginning for the scammers and the amount of personal data collected will increase exponentially. As proof of this, we have found yet another domain registered by the creators of Exprespam and they also created another version of their fake market on the new domain. This time, they have decided to not give the market a name or provide the name of the party maintaining the market. At the time of writing, the new market does not appear to be in active use yet and may currently be under construction or on standby but that has not stopped the scammers as a new malware variant is already being hosted on the site.

Figure 2. Various fake app markets used by the Exprespam scammers

As you can see through the series of Exprespam blogs I have written, the scammers  are constantly modifying their tactics so that the scam provides a good “return” for them. These updates will not end until the scammers either are caught by the authorities and punished or cease scamming people, which is unlikely to happen anytime soon. By now, hopefully most readers who have been following this blog series are now familiar enough with this scam to avoid downloading and installing this malware.

Android users can stay safe by avoiding links in emails you receive from unknown sources, by downloading apps from well-known and trusted app vendors, and by installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on the device.  For general smartphone and tablet safety tips, please visit our Mobile Security website.

* To estimate how much personal information may have been stolen, I combined the number of visits to Gcogle Play, the original fake market for Exprespam, and the new market. I am guessing the number of visits to Gcogle Play to be 2,000 as this site was live for the same number of days as Android Express’s Play.  I then calculated the number of contacts on average in each compromised device by taking the total number of contact details stolen by the malware, Android.Dougalek (aka the Movie malware) and Android.Ackposts, and then dividing it by the total number of infections (according to media reports, Dougalek stole about 11.8 million pieces of personal data from 90,000 devices, and Ackposts stole about four million pieces of personal data from 18,000 devices). That figure is 150 pieces of personal information per device.

To arrive at a conservative estimate, I assumed that only a small number—one in ten—of visitors may have actually downloaded and installed the malicious app for a total of 500 infections.

Conversely, if I assume that the number of users actually downloading and installing the app after visiting the site is about 3,000, we arrive at a much larger figure. Both calculations are shown in Figure 1.

I would like to note that this is not the number of unique contacts stolen. Furthermore, these numbers are just estimates to give a better understanding of the scale of the scam. As we do not have the complete data, the actual number is more than likely greater than my estimates.

Update [January 23, 2012] - Symantec has confirmed that a new type of spam message is now luring email recipients to the latest fake market that has no name. The spam, pretending to come from someone the recipient knows, looks like the following:
お久しぶりですねー! 元気にしてますかぁ~? 私もやっとスマホに変えましたよ(笑)
最近はのんびりしながらOLしてます♪ 今度、ご飯でも行きましょうね♪ この前、雑誌見て
て面白いアプリあったから見てみて~。 http://linktothefakemarket/xxxxx

The site has been visited over 2,500 times since the attack started on January 23. This is a much bigger figure than the figure we collected previously, indicating that this could be a bigger scam than we had initially guessed.