The New Japanese “Not Just One-Click” Fraud on Google Play

Since the beginning of the year, Japanese one-click fraud scammers have continued to pump new apps onto Google Play and the market has struggled to keep itself clean. Though many are removed on the day they are published, some remain for a few days. Although they have short lives, the apps must provide ample profit for the scammers as they show no signs of halting their development of new ones. Their tactic of abusing the search function on Google Play allows their apps to be easily bumped to the top of keyword searches. A test search carried out by Symantec resulted in 21 out of 24 top hits being malicious apps.
 

One Click 1.png

Figure 1. Search with only 3 out of 24 results not malicious
 

The scammers have been persistent as well, publishing apps almost daily amounting to over 1,200 apps in total being published over the last seven months.
 

One Click 2.png

Figure 2. Activity over seven-month period
 

Because of the success the scammers appear to be having, it seems a new player has come along to try their luck on the market. The new scam is a variation on the typical one-click fraud we see in Japan. The new type not only requires clicks, but it also requires users to send an email in order to register to become a member of a service, call a given phone number to acquire a password, and enter the password to log into the fraudulent site. That’s quite a bit of work to get through just to be scammed. Once the user successfully logs into the site, they are charged an annual fee of 315,000 yen, which is equivalent to approximately US$3,150, for watching online adult videos without any obvious prior warning of the fee.
 

One Click 3.png

Figure 3. Three developers previously posting malicious apps
 

The app is downloaded from Google Play.
 

Figure4_2.png

Figure 4. App download page
 

Once the app is opened, the browser is launched to open an adult video site.
 

Figure5_0.png

Figure 5. Adult video site
 

If the user tries to play a video from the adult site they are requested to register to become a member in order to watch all site’s videos.
 

One Click 6.png

Figure 6. Registration request page
 

An email is automatically drafted when the ‘send email’ button is clicked. All the user needs to do is to click on the “send” button.
 

One Click 7.png

Figure 7. Automatically drafted email
 

Shortly after, the service returns an email containing a link.
 

One Click 8.png

Figure 8. Email containing link
 

Clicking on the link takes the user to another service on a different site.
 

Figure9.png

Figure 9. Another adult video site
 

This time when a video is selected, the user is asked to enter a password to log in.
 

One Click 10.png

Figure 10. Password request page
 

Clicking on ‘confirm password’ prepares the phone to make a call to a pre-determined number.
 

One Click 11.png

Figure 11. Phone preparing to call a pre-determined number
 

When the call is made to this number, an automated message tells the user the password. After logging into the site with the given password, a page appears on the browser informing the user of the registration details as well as notifying them of a whopping 315,000 yen annual fee due in three days.
 

One Click 12.png

Figure 12. Registration and annual fee details
 

I don’t recall reading anything about the service requiring an annual fee…although, wait a minute, there is a hidden link to a EULA on the page where the password is entered. The sentence where the link is states that to use the site you must be an adult who has agreed to the user agreement. The link is very faint compared to other text on the page.
 

One Click 13.png

Figure 13. Almost hidden link to EULA (highlighted in red box)
 

It does in fact state that the service has an annual fee in the EULA, if you can eventually find it that is. There are some very sneaky tactics being used here!
 

One Click 14.png

Figure 14. EULA
 

Because these apps only launch the browser to open certain sites, which request users to take additional steps to reach the final destination, it can almost be impossible for any system to confirm anything malicious about these apps. The manual steps required in this scam is another strategy used to keep the apps on the market as long as possible. Human analysis may be the only way to discover these sorts of apps. We have so far confirmed over 100 of these apps published on Google Play since the beginning of July. At the time of writing, there are currently still 30 apps, published by three developers, still available on the market. Symantec continues to inform Google about these apps so that they can be removed. Hundreds of users have downloaded the apps, but the actual number could potentially be over a thousand. It is unknown how many people have actually been tricked into paying the fee. The apps discussed in this blog are detected by Symantec products as Android.Oneclickfraud. Please take precaution when downloading apps, regardless of where they are hosted and we recommend using our Norton Mobile Security to help protect you.