Japanese One-Click Fraud on Google Play Leads to Data Stealing App

Since the beginning of the year, a Japanese one-click fraud campaign has continued to wreak havoc on Google Play. The scammers have published approximately 700 apps in total since the end of January. The apps are published on a daily basis and the scammers have invested around US$4,000 in order to pay the US$25 developer fee to publish apps on Google Play.


Figure 1. Total number of developers and apps developed

Dealing with the fraudulent apps has really become a game of cat and mouse. Once the apps are removed from Google Play, the scammers simply publish more under new developer accounts. These are again removed shortly afterwards, but the scammers simply continue to publish more. Most of the apps are removed on the date of publication, but some, especially those published over weekends, tend to have a longer life and in some cases have download numbers in the triple digits. The scam attempts to lure users interested in adult videos to a site that attempts to trick them into registering for a paid service. Even if only one user falls for the scam and pays, that’s JPY99,800  (around US$1,000 at the current exchange rate) in the pocket for the scammers, which also means they can make more money by creating even more developers accounts to publish more fraudulent apps.


Figure 2. Developer page of the malware author

Recently, the scammers have come up with a new trick. A typical one-click fraud app uses Webview class to allow Web pages to be displayed within the app. Normally the adult-related sites leading to click fraud are displayed, but the new round of apps leads to a similar adult-related site that hosts an app that steals personal information, including Google account, phone number, International Mobile Station Equipment Identity (IMEI), Android ID, and the model details of the device. These apps act as downloaders for apps that need to be manually downloaded and installed.


Figure 3. Site hosting the malicious app


Figure 4. Fake Google Play site from where to the malicious app is downloaded


Figure 5. Data uploaded from the device

What is disturbing about the recent method used to attract potential victims is that the scammers have expanded their audience to a larger group by listing random keywords in the description of the app page whereas in the past, only words related to pornography were used. The scammers are hoping that someone searching for any type of app will come across these apps and find the icon attractive as the icons are all adult themed. The titles of the apps are also typically pornographic in nature, but some have random names.


Figure 6. App page for one of the malicious apps


Figure 7. Words listed in the description of one of the apps

We have yet to confirm how the personal information is being used, but it is likely that the victims will be contacted in one form or another from the scammers. Symantec detect the apps discussed in this blog as Android.Oneclickfraud. We recommend installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. For general safety tips for smartphones and tablets, please visit our Mobile Security website.