Another Fake Application for Android Found on Google Play

Recently we released a blog talking about the difficulties of keeping app stores free of malicious applications. Today our automated system flagged yet another example of a misleading application that was posted on the Google Play store.

The application, named Next Launcher 3D Pro, purports to be a free version of the legitimate app Next Launcher 3D, which can also be found on the Google Play store.  On investigation, an immediate tell-tale sign of something not being right about this app can be seen. The publisher of the legitimate version, Go Launcher Dev Team, is different than the publisher of the supposed free version, TuranPercin.  On installing the fake version of the app, the user is presented with a screen asking them to view some offers before receiving the app for free.

Fig2_275_0.png

Figure 1. Installation image

Only after these steps are performed, will the malicious application proceed to download and prompt to install the paid-version of Next Launcher 3D, which won’t work since it is protected by Google Application Licensing services.

Fig1_275_0.png

Figure 2. Message shown by the original Next Launcher 3D  application

Symantec has identified  a further 752 apps that use this technique to trick users into installing fake versions of legitimate apps. Only one of these apps has been identified on the Google Play store and we have notified Google of the presence of the application.

We recommend installing a security app, such as Norton Mobile Security, which detects the application already as Android.Fakeapp.

For general safety tips for smartphones and tablets, please visit our Mobile Security website.

Fortune Teller App Ripping-off Personal Data also Appeared on Google Play

We have recently encountered a fortune teller app that isn’t just trying to forecast the future; it is also stealing user information—and not to predict good fortune for the user. Last week, the Information-Technology Promotion Agency, Japan (IPA) issued a security warning about the discovery of yet another Japanese Android app that extracts personally identifiable information (PII). In April, at least 29 malicious apps (we have reasons to believe that the total number of apps could possibly be twice this) were discovered on Google Play. The malicious apps exported not only PII about the mobile device owner, but also the details of people listed in the phone’s contacts. You can read more about this information stealing in this Symantec blog.

Symantec has confirmed that the fortune teller app also performed the same information stealing as Android.Dougalek, aka “The movie” malware. Our products, such as Norton Mobile Security, detect the app as Android.Uranico. The IPA notes that the app was hosted on a certain website. A number of sites focused on introducing various Android apps appear to have published details about the malicious app on April 18. The app was available for download for little over a month before authorities had the download site taken down. Below is an example of one of the sites introducing the app.

Notice the download button at the bottom that states “Download from Google Play” in Japanese. The link directs the browser to a download page and not, in fact, to Google Play. The button is also used on all other app pages within the sites, even though many do not lead to Google Play. It may be a good idea to stay away from fishy sites such as this.

When I began investigating Android.Uranico, I originally assumed that someone had simply jumped on the bandwagon of stealing personal information from Android devices after news broke about “The movie” malware, as this particular app surfaced shortly afterwards. Furthermore, the PII that it steals is the same as the information stolen by its predecessor. After further investigation, however, Symantec has discovered that this app also appeared on Google Play. The app, along with another app published by the same developer, was published on Google Play on April 11 and 12. This is before the aforementioned sites published details about the app on their sites. These dates are actually around the time when online discussions about “The movie” apps being dodgy were first taking place.

So did the news about “The movie” malware encourage the development of Android.Uranico? The codes of the two malware are different from each other, so they may have been developed by different developers. However, it is still possible that the apps could have originated from the same organization or from folks in the same Internet fraud industry. Furthermore, it's possible that the authors may be sharing information about their latest strategies and tactics as well as trading stolen information. I like to think that there is something related here and that someone didn’t just copycat “The movie” malware when news broke out. I don’t believe it was just coincidence that both of these malicious apps happened to exist independently.

The apps are currently unavailable from both Google Play and the download website, but for those of you that may have installed them, you can examine some of the details below. Note that the app, KoibitoSagashi, is not considered to be malware, but could potentially lead to some sort of unwanted experience as a result of using it. In my investigation, a link in the app opened up an adult-themed site in the browser and clicking on some links ultimately led to a one-click fraud site.

Google Play
Developer: nakamuraGT

Icon on Google Play

Icon on mobile device

App name on Google Play

App name on the mobile device

Number of installs

Release date

即エロ完全サポートマニュアル

KoibitoSagashi

100-500

April 11, 2012

スピリチュアル診断オーラの湖

占いアプリオーラの湖

1000-5000

April 12, 2012

 

Website

Icon on websites

Icon on mobile device

App name on websites

App name on the mobile device

Number of installs

Approximate release date

スピリチュアル診断オーラの湖

占いアプリオーラの湖

Unknown

April 18, 2012

 

The number of estimated installations of Android.Uranico is in the thousands, which is much lower than “The movie” malware. However, just like Android.Dougalek, the people affected by this threat also include the contacts in the device as their PII may also have been stolen. Therefore, this could mean that the tens of thousands or even over a hundred thousand people are affected.

There are certainly possibilities of similar apps still being out there that we have yet to discover. So when installing an app, be sure to be aware of what the app is and understand what sort of actions it should perform. Then compare them to the permissions requested by the app during the installation. Confirm that the permissions actually make sense. For the fortune teller app, users should be suspicious of why it wants to know where they are or why it requires access to contact details, for example.

The Case of the Unintended Android Application Upgrade

There has been a lot of confusion over the last hours after an application named “МТС Мобильная Почта” was automatically added to the My Apps section of some Samsung devices as an apparent application upgrade. However, these devices have never installed this application. Some users thought this was a bug within Google’s upgrading mechanism, but it appears Google is not responsible for these unintended updates.

When Android was first released, Symantec attempted multiple upgrade scenarios to determine what fields were mandatory for an upgrade to occur and to test if rogue publishers could replace existing applications. Applications developed for the Android platform are required to declare a unique identifier, known as the package name. We determined that along with this unique identifier three other items are required before an application can be updated through Google Play:

  • The upgraded application must be signed with the same signature as the existing package
  • The versionCode and versionName for the upgraded application must have higher values than the existing application

The above signature requirement prevents issues if independent parties accidentally choose the same package name. Also, as a side note, users of the Google Play automatic update feature will get automatic upgrades deployed to their devices only if the application doesn’t require more permissions than the existing one. This is another countermeasure to prevent malicious publishers from elevating privileges.

However, a few hours ago, some Android users started seeing the application published by MTS appearing as an upgrade for an unrelated Samsung app named Social Hub. Unfortunately, both used the same package name 'com.seven.Z7'.

Samsung’s Social Hub is an application that comes pre-installed with some devices, and has never been published in Google Play.

Samsung’s Social Hub is signed by a company named Seven who develop mobile applications:

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 1235473566 (0x49a3d49e)
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=US, ST=California, L=Redwood City, O=Seven Networks, OU=Seven Networks, CN=Seven Networks
       Validity
           Not Before: Feb 24 11:06:06 2009 GMT
           Not After : Jul 12 11:06:06 2036 GMT
       Subject: C=US, ST=California, L=Redwood City, O=Seven Networks, OU=Seven Networks, CN=Seven Networks

Accidentally using the same package name, however, is not enough to allow an upgrade over another unrelated application. In this case, the signing key of the MTS application is also the same and this simply appears to be a case of an outsourced developer accidentally using the same signature and package name for two of their products: one given to Samsung and another given to MTS.

Interestingly, our records show a 'com.sevenZ7' application has been available in the Android Market since late 2011. Likely the issue has only arisen now because the version numbers are greater than the Samsung application, fulfilling one of the key criteria for an upgrade to occur.

Update: Google has now suspended the application, so it is no longer available for download from Google Play.

Android.Opfake.B Adopts Bot Tactics

Contributor: Yi Li

Since our discovery, the server-side polymorphic APK malware called Android.Opfake has continued to evolve, modifying the algorithm for its polymorphic functionality used to evade detection. It also continues to change the names of the applications it pretends to be and is creating countless domains to host its malicious files. Now the developers of the threat appear to be making a major upgrade. This can be seen from the permissions the malicious apps request during install. Typically, old variants used to only ask for permissions like the following:

The permission to send SMS messages was essentially all the malware needed to charge the owner of the compromised device premium SMS rates. Now, the malware wants permissions to read contact data, modify and delete content on the SD card, and automatically start at boot, among other things:

Not only does it still send premium SMS messages, the latest variant posts the phone number of the compromised device on to a predetermined server, notifying the attacker of the infection. There is also a back door running in the background, waiting for commands through SMS. When a message containing a certain string is received, the malware reads it as a command from the attacker and, depending on the instructions, performs the following actions:

  • Send details such as the IMEI, IMSI, or any received SMS messages
  • Send SMS messages
  • Configure the URL that communicates with the server
  • Update or remove rules used by the malware to process the SMS messages received
  • Issue HTTP GET requests
  • Exfiltrate the contact list on the device
  • Download .apk files and store them on the SD card

The malware is keeping itself alive by running in the background and automatically starts if the device is rebooted. There is also code that attempts install downloaded .apk files, which could be updates of the malware. However, it lacks the permission to do so in the current version.

Developers of Android.Opfake continue to invest a lot of time and effort into their malware, so it’s not surprising to see this update. It’s likely we will see this evolve even further, so long as it’s profitable. Symantec’s Norton Mobile Security detects this variant as Android.Opfake.B. We will continue to monitor the attack and note any significant changes we observe.