Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    My previous post discussed how certain spam messages can lead to the downloading of malicious apps detected as ANDROIDOS_CONTACTS.E. This time around, we focused on the app’s routines and how the people behind this threat possibly profit.

    My analysis focused particularly on the app “Solar Change”. This Android app (detected as ANDROIDOS_CONTACTS.E) was found to gather contact information such as email address from the infected device. The perpetrators behind apps may then pedal these gathered data to potential attackers and spammers.

    When users install the app, it shows the list of permissions that it requests. However, a closer look into these permissions reveal that the app also request for the contact details and list of accounts stored in the device.

    Permissions Functions
    android.permission.READ_CONTACTS Allows appl to read the user’s contacts data
    android.permission.BATTERY_STATS Allows app to collect battery statistics
    android.permission.INTERNET Allows app to open network sockets
    android.permission.READ_PHONE_STATE Allows read only access to phone state
    android.permission.GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service

    Unfortunately, allowing such permissions may give other parties access to specific details, which they may distribute to potential spammers.

    Aside from “Solar Charge” requesting for access to device information such as contact information and account service, the app itself doesn’t work. Instead, the app only displays the message “Charging” and pretends to charge using solar light. While supposedly charging, another message appears stating that the app “is not available for your device”.

    During this “charging state”, the app is actually attempting to steal contact details and Gmail accounts from the device and send these to a specific remote server.

    In our analysis of the app’s code, we found some codes responsible for stealing personal information such as contacts and email address.

    The screenshot above shows the contents of the communication between Solar Charge and the remote server. We can see that the app attempted to send telephone numbers to the address “myid=080{BLOCKED}”. After the parameter “frdata=”, we also notice that information gathered from the device’s contact details are URL encoded

    Based on our decoding, we found that the app attempts to send details such as name, phone numbers and email address to a specific remote server.

    Here are the list of servers where malicious apps detected ANDROIDOS_CONTACTS send to their different servers by HTTP communications.

    The people behind this app may have used servers located on different countries to possibly to avoid identification. In addition, they can quickly replace a server if one is blocked.

    Mobile Address Sold From .14 Yen – 1.5 Yen

    The big question now is, why do these spammers keep stealing contacts using by malicious apps? We can cite two reasons for this: they can use these stolen accounts as part of their spam distribution list. Also, they can sell these stolen data to other groups, which prefer “fresh” accounts for their own businesses such as dating site etc. These accounts are sold in lots, with each lot having in tens of thousands of stolen account information. Prices for each stolen account are from .14 Yen to 1.5 Yen.

    Trend Micro users need not worry as Trend Micro Mobile Security detects these apps as ANDROIDOS_CONTACTS.E. As a precaution, users should always scrutinize the permissions they give to the apps they install since this may lead to unwanted device information disclosure to certain parties. To know more about how to keep your mobile device data protected, you may refer to our Digital Life e-Guides below:

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • angrycpu

      Your app opens the door, there is accountability and there is an escape to rationalize and refer to a permission clause which is just an excuse for unethical developing practices. People with forensic knowledge know a little more than you think.

    • Takahashi Nobuhiro

      This is incorrect info, I am developer of this app, we do not sell to spammer the contact info. The permission is clearly identified prior to installation, you have no right to print such incorrect info and accuse people of being criminals/malware authors. What proof you have of these claims/lies.If you don’t clarify this I will seek legal action against your organization.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice