Recently, we have noticed large numbers of repackaged Android apps showing up in Chinese app stores. While these apps pretend to be “free”, in the end they cost the users time and money: they are either shown various ads or they are subscribed to various premium SMS numbers. (Note that these apps were not found in the official Google Play store.)
Two channels are at work here. First, foreign apps that have been localized or repackaged by Chinese companies and used for various schemes. Secondly, paid/premium apps can be repackaged by pirates to produce a “free” version that contains ads or other added code. In either case, there is a risk that the repackaged code may be malicious.
In the first case, local Chinese companies have been contracted by the original developers to localize apps for the Chinese market. This includes translation, as well as changing payment methods to those used in the Chinese market. However, unscrupulous companies may add their own code at this stage to add advertisements and collect money from users via SMS numbers.
These advertisements collect the user’s location, phone model, and other installed apps without explicitly getting the user’s permission. The apps may also be designed so that in some circumstances, users may “accidentally” click on the button which sends an SMS payment. Payment notices may also be intercepted, as seen in the following code:
Figure 1. Code intercepting payment notice text messages
In the second case, pirates (either individuals or companies) crack paid apps, add their code, and distribute them via major Chinese app stores. Using commercials and fake downloads, these repackaged apps reach the top lists of these app stores, with millions of downloads.
Figure 2. repackaged version of Minecraft with 52 thousand downloads per week
These apps contain display multiple advertisements when they are launched, and trying to close them just leads to download another app with even more advertisements. We even found spyware pushed as a security app; this particular app required root privileges and a result it is not easy to remove. (The screenshot below shows an ad for one of these spyware apps.)
Figure 3. Ads at app startup that lead to other risky apps
Figure 4. App permissions requested by app installed by ad in Figure 3
Apps being used to promote various scams are also a widespread problem. This malicious app repackaged the original Monument Valley game with an advertisement library; in addition it randomly pushes scams messages to users, which lead them to further phone scams.
Figure 5. repackaged Monument Valley, with 520 thousand downloads
This app displays advertisements via system notifications that leads to a website at hxxp://abcdefg2.jjzl.com.cn/tmall3_daigou/ip6.php. This site contains offers for the user to purchase iPhones and other mobile devices for approximately $100 cash on delivery. The user is asked to enter his name, phone number, and shipping address. There is at least one known case where the victim was later called and asked to pay a “prepaid shipping fee.”
Acquiring this personal information is the goal of this scam. which is detected as ANDROIDOS_SCAMAD.HBT. The user is at risk of receiving more fraudulent calls, unless they change their phone number.
Figure 6. App notification for iPhones being sold
Figure 7. Website gathering user information
The above screenshot shows some of the items for sale (different variants of the iPhone 5S); the next three fields are where the user would enter their personal information before clicking one of the buttons below, which would submit the information to the attacker.
The malicious apps in this post are mostly gathered from the top app lists of some major Chinese app stores. These top lists contain many repackaged apps, which pose serious risks to users. Users – particularly those in China – should be careful about downloading these apps. Last year, we discussed the threats of repackaged apps in a white paper titled Fake Apps: Feigning Legitimacy. Trend Micro Mobile Security protects users against these threats by scanning apps that are installed onto the device.