Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some of these even introduce risks that users may not fully understand. In this series of blog posts, I will try to show how to evaluate the risks of these apps, focusing on the threats usually seen in Japan. In the first of the three blog entries,  I will examine the current situation of info-stealing apps targeting Japanese users.

    What is an “Ego App”?

    Some apps have unwanted routines which we consider high-risk; for example some violate the user’s privacy by accessing the user’s personal information. Frequently, this is done by apps which display ads (i.e., adware). (In Japanese English, these are referred to as “ego apps.”) Examples of routines that may cause an app to be classified as such include:

    • Consuming system resources
    • Displaying pop-up advertising
    • Violating the user’s privacy

    Users who continue to use these apps may encounter unexpected behavior, and may suffer problems without any notice. These apps have both been getting plenty of attention lately.  We will discuss the case of aggressive mobile adware in part 2 of this series of blog posts.

    Law enforcement actions

    On October 30, 2012, several police agencies in Japan arrested a number of suspects for violating the newly implemented cybercrime law. The Japan National Police Agency announced the arrest of five suspects, including an IT company executive for creating malicious apps. (Trend Micro detects these as ANDROIDOS_DOUGALEK variants and are known as  “the movie virus.”) In another case, the Kyoto Prefectural Police together with its Fushimi Police Station announced the arrest of one company executive who allegedly created the malicious apps Longer Battery Life, Signal Improvement, Sma Solar, Power Charge, or Solar Charge. We detect these as ANDROIDOS_CONTACTS variants.

    In both of these incidents, the suspects targeted smartphone users in Japan. We hope that these arrests will act as an effective deterrent to these kind of cybercrimes. In this entry, I will look at the apps used in these attacks.

    The apps detected as ANDROIDOS_DOUGALEK and ANDROIDOS_CONTACTS are installed by smartphone users due to their enticing names and descriptions. Some are named in Japanese as Video Reply, Battery Longevity or Solar Power Generation and the like. Users tend to install them expecting the functionality their names imply. These apps, however, could hardly deliver on their claims but instead execute their harmful routines.

    In this information theft routine, the cybercriminals focus on the user’s phone book. The names, phone numbers, and email addresses of the people listed in the phone book were extracted and sent out to the external server. Because of this, the user information of the device’s owner and his/her friends and acquaintances are stolen by the attackers.

    The screenshot below is the transmission that ANDROIDOS_CONTACTS sends the content of the phone book to the external server. As you can see, “myid=080 {masked}” means the phone number of the affected user and “090 {masked}” means the phone number registered in the “phone book” of the affected user’s device.

    This threat is not limited to Japan. On October 26, 2012, the Korea Information Security Agency (KISA) also released an alert (in Korean) about fake anti-spam apps that steal mobile users’ information and send it to the external servers.

    For feature phones, the security issues are generally limited to things such as losing the device itself, or perhaps to send spammed text messages. For smartphones, the security risk is greater as users can easily install various third-party apps, which may not be provided by the legitimate developers and telecommunication companies. The distribution channels of various third-party apps may be used by cybercriminals as well. Users should understand that the increased power of mobile devices also increases the risk.

    Trend Micro products like Trend Micro Mobile Security (known as Virus Buster Mobile for Android in Japan) detect these mobile threats.

    Aside from the above apps which are clearly fraudulent, there are also more subtle cases where smartphone users encountered certain privacy threats a bit differently. In such cases, while the “extracted” user information was considered as “necessary” to install the app, users may not have been fully informed of the privacy consequences.

    In the next entry, I would like to show the risks of subtle information leaks triggered by these apps, which also targeted Japanese users using the phrase “for free.”





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • http://www.facebook.com/profile.php?id=100002458125096 Momo Levi

      thanks !

    • TrendLabs

      Hi Kelly,

      As mentioned above, security products such as the Trend Micro Mobile Security can detect these mobile threats.

    • http://www.facebook.com/RapidSoftTechnologies Kelly Burby

      how to get rid of this info-stealing apps as soon as possible?



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice