We were alerted in July 2012 about malicious apps that we detect as ANDROIDOS_CONTACTS.E. We investigated the related spam, which arrives on the mobile device. What is noteworthy about this threat is that the spam were distributed not only to smartphones, but also to feature phones as well.
This indicates that the spammers may have carried out indiscriminate attacks targeting the email addresses provided by telecommunication carriers.
In Japan, this carrier email address is popular among mobile users since this email address can be accessed on both mobile devices and systems. Also, each telecommunications carrier provides a service that blocks spam mails. This feature may have resulted to users being complacent when it comes to the security of their carrier email addresses.
Spammers understand users’ tendency to be too trusting, thus they distributed these spam to carrier email addresses to increase their attack’s success.
So far, we can categorize the URLs in these spam into three types:
- URLs that directly lead to download an APK package of Android app
- URLs that lead to a malicious web page disguised as a legitimate app market store
- Shortened URLs
Let’s focus on the 3rd type of URL. When users click the shortened URL, they are lead to a webpage set up by the spammer or their partners. In this scenario, it is possible that it may either lead to the downloading an APK package or to a web page disguised as a legitimate app store.
Why do spammers leverage this shortened URL service? Users find it difficult to double check the complete URL based on the shortened URL, thus the higher rate of users inadvertently clicking a malicious link. Furthermore, some shortened URL services can count user clicks in real-time. So if a particular link had less clicks, spammers can use a different shortened link which had more clicks in their future spam run.
Now, let’s focus on those URLs that lead users to a spoofed app store. We found the app “Power Charge”, also detected as ANDROIDOS_CONTACTS.E, which is supposedly an app that charges by using solar light.
According to the app’s description page, the reason why this is not available on Google Play is that it is on its limited launch. Also, it encourages users to activate installation of other apps.
In the evaluation section of the web page, we saw some good feedback, though it does not have a section where users can rate the app. The feedback may be spoofed and is used to trick users to bolster the apps credibility.
Here is a list of apps we detect as ANDROIDOS_CONTACTS.E that users may encounter via spam mails.
Trend Micro protects users from this threat via Trend Micro Mobile Security for Android, which detects ANDROIDOS_CONTACTS.E.
In our follow up blog entry, we’ll take a look at a particular app detected as ANDROIDOS_CONTACTS.E, specifically its information theft routine.