Busy August for One-Click Fraud Scammers on Google Play

For many of us around the globe, August may be a month to take a bit of a break from work and go on a summer holiday. In contrast, August appears to the busiest month of the year for the scammers developing Japanese one-click fraud apps. They have increased productivity to publish close to 1,000 fraudulent apps on Google Play during August. As a result, they have succeeded in tricking Android device owners into downloading the apps at least 8,500 times, according to statistic shown on the Google Play app pages. The actual figure is likely much higher and probably exceeds well over 10,000 downloads.


Figure 1. Daily publication count for August

The number of one-click fraud apps published from the beginning of the year to the end of August now totals approximately 2,500, and the scammers show no signs of slowing down. As usual, most of the apps in August only survived one night before they were removed from the store by the following morning. Although it appears that one night is enough for the scammers to score numerous downloads. The scammers routinely publish apps every single afternoon, perhaps as they end their working day in the office. The chance of app survival increases when they are published over the weekend and some are lucky enough to live for several days allowing time for hundreds of downloads.


Figure 2. Apps published monthly

As in previous months, August saw several new types of one-click fraud apps appear. They tend to use different tactics, but these new variants have not been very successful, eventually disappearing quite quickly. Interestingly, the same group of scammers publishes 97 percent of the apps.


Figure 3. Variants published in August

One of the newest variants has had some success in staying alive on Google Play, though the number of downloads remain limited. These apps include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service. The fee to watch adult videos on these sites is typically around US$1,000, which is extremely expensive compared to the average cost of a legitimate service. By mixing the malicious links among other legitimate links, the apps attempt to stay hidden from security checks. The bad links also lead to a redirector URL that then directs the apps to open whatever sites the redirector is configured with. This allows scammers to easily modify where the apps ultimately lead to on the server side if they are under suspicion of being involved in any malicious activity.

The app works in the following way:

  1. Once the app is installed, the user is presented with several links to adult-related video sites.
  2. Some of the links lead to fraudulent sites. The user then chooses a video from one of these sites.
  3. The user attempts to play video.
  4. The user is asked to pay a fee.


Figure 4. Fraudulent app

While app stores allow users to easily search for and download apps, there is always a risk of getting fooled into download illegitimate apps. Users should only install apps they are certain they can trust. Symantec also recommends using Norton Mobile Security to help stay protected. The apps discussed in this blog are detected by Symantec products as Android.Oneclickfraud.

Crypto prof asked to remove NSA-related blog post

Matthew Green is a well-known cryptography professor, currently teaching in the computer science department of Johns Hopkins University in Baltimore. Last week, Green authored a long and interesting blog post about the recent revelations that the National Security Agency (NSA) has, among much else, subverted crypto standards. In his words, "The TL;DR ['too long; didn't read' version] is that the NSA has been doing some very bad things." And Green went on to speculate at some length about what those "bad things" were and what they might mean.

Today, Green's academic dean contacted him to ask that "all copies" of the blog post be removed from university servers. Green said that the move was not "my Dean's fault," but he did not elaborate. Were cryptology professors at Johns Hopkins not allowed to say, as Green had, things like:

I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough.

Was basic academic freedom on the line? Had the request even come initially from Johns Hopkins or from outside the school—perhaps someone at the NSA headquarters just up the road from Baltimore?

Read 5 remaining paragraphs | Comments


Google’s Chrome Apps – Are They Worth The Risk?

So there’s been a bit of debate lately about Google’s Chrome apps after the launch, most of you have probably heard of Chrome OS a while back with a few Chromebooks popping up here and there. Chrome Apps are the next generation of browser apps that can be run offline and eventually will be cross [...] The post Google’s Chrome...

Read the full post at darknet.org.uk

Aggressive Ad Module Scans Android Apps

During our routine patrols of popular marketplaces offering Android applications we recently came across some suspicious applications hosted on the popular Google Play. The applications are distributed as hacking tools, utility tools, and pornographic apps by different developers. Here are images for a few of them:



Suspicious applications on Google Play.

These apps seem to offer no functionality based on their titles, stating “increase Internet speed” and “phone hacking,” for example.

Once installed by the victim, the apps appear to work at first but in fact they simply display screens with interactions that are all fake, using hard-coded or random values generated by the code to seem legitimate. In short, these apps are fake or joke applications.

image4   image5
These fake apps appear to be working on the surface.

Hard-coded PIN in the code.

These apps also bundle several components that relentlessly show advertisements after the user closes the app. In our research, one of the ad modules has an online scanning function, which checks installed apps on the device without the user notification and aggressively displays a purchase screen.

image7   image8
Executed online scan function.

We also confirmed the ad module attempts to download the alleged antimalware application Armor for Android from a remote server.

image9   image10
The “antimalware” application downloaded from a remote server.

As always, users should never install unknown or untrusted software. This is especially true for illegal software, such as cracked applications. They are a favorite vector for malware infection. McAfee Mobile Security detects these suspicious fake apps as Android/FakeBapp.C.