Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Noriaki Hayashi (Senior Threat Researcher)

    In this part 3 as the last entry, I will report the result of our investigation on app-related battery consumption issue and its reality.

    Android Apps’ Battery Consumption Issue

    According to Trend Micro research, almost 47% of smartphone users in Japan are bothered by their device’s battery longevity.

    Dubbed “PC on your palm” the smartphone’s design puts prime on portability, which inadvertently leads to battery resource issues. Previously, traditional feature phone devices did not have this concern, as their manufacturing companies were directly responsible for overall development and quality assurance of device’s components e.g. from device’s operating system up to its apps.

    With smartphones, users can install third-party apps that are less dependent on the devices and their respective manufacturers. On the positive side, this brought changes to the apps market, in which new players can now participate and release their own apps. In turn, this made the app market dynamic and new apps are regularly introduced.

    The downside, however, is that app development is not aligned with smartphone devices and their operating systems, making quality assurance more complicated and fragmented. Because anyone can join this market, even individuals with insufficient technical knowledge can easily release an app. This could be a reason why “potentially unwanted apps” consume too much device resource.

    Resource Consumption Used by Free Android Apps

    Sampling the top 200 apps (both general apps and game apps) among free apps on Google Play, for August 31, 2012, Trend Micro examined their resource consumption using Trend Micro Mobile App Reputation (MAR). The details of the sampled data are as follows:

    Measuring battery consumption is not an easy task since it is determined by complex combination of apps and hardware. In MAR’s investigation, we created three levels of battery consumption using various combinations of factors such as network bandwidth, memory consumption, hardware used, etc.

    Read the rest of this entry »

    Posted in Mobile | Comments Off on Apps’ Battery Consumption Issue in Japan (Part 3)

    This is the second in a series of blog posts describing the mobile threat landscape in Japan. The first one may be found here

    Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some even introduce risks that users may not fully understand. In this blog entry, I will report the privacy risks caused by certain apps that we have looked into.

    The Ad Delivery Cycle for “Free” Apps

    As mentioned in the first entry, we define those apps that demonstrate the following routines without user consent as high-risk apps (referred as “ego apps” in Japan):

    • Displaying pop-up ads
    • Getting the user’s private information

    One reason these apps are significantly increasing lately is the way that ads are sold in Japan.

    As you can see in this graph, these ad agents/networks provide software development kits (SDKs) for app developers. By inserting the SDK-provided code into their apps, app developers can have ads appear inside their apps. They would then earn money from how many ads are viewed and/or clicked. This revenue allows the developer to charge little or no money for his app.
    Read the rest of this entry »

    Posted in Mobile | Comments Off on Threats From “Free” Android Apps in Japan (Part 2)

    Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some of these even introduce risks that users may not fully understand. In this series of blog posts, I will try to show how to evaluate the risks of these apps, focusing on the threats usually seen in Japan. In the first of the three blog entries,  I will examine the current situation of info-stealing apps targeting Japanese users.

    What is an “Ego App”?

    Some apps have unwanted routines which we consider high-risk; for example some violate the user’s privacy by accessing the user’s personal information. Frequently, this is done by apps which display ads (i.e., adware). (In Japanese English, these are referred to as “ego apps.”) Examples of routines that may cause an app to be classified as such include:

    • Consuming system resources
    • Displaying pop-up advertising
    • Violating the user’s privacy

    Users who continue to use these apps may encounter unexpected behavior, and may suffer problems without any notice. These apps have both been getting plenty of attention lately.  We will discuss the case of aggressive mobile adware in part 2 of this series of blog posts.

    Law enforcement actions

    On October 30, 2012, several police agencies in Japan arrested a number of suspects for violating the newly implemented cybercrime law. The Japan National Police Agency announced the arrest of five suspects, including an IT company executive for creating malicious apps. (Trend Micro detects these as ANDROIDOS_DOUGALEK variants and are known as  “the movie virus.”) In another case, the Kyoto Prefectural Police together with its Fushimi Police Station announced the arrest of one company executive who allegedly created the malicious apps Longer Battery Life, Signal Improvement, Sma Solar, Power Charge, or Solar Charge. We detect these as ANDROIDOS_CONTACTS variants.

    In both of these incidents, the suspects targeted smartphone users in Japan. We hope that these arrests will act as an effective deterrent to these kind of cybercrimes. In this entry, I will look at the apps used in these attacks.

    Read the rest of this entry »


    My previous post discussed how certain spam messages can lead to the downloading of malicious apps detected as ANDROIDOS_CONTACTS.E. This time around, we focused on the app’s routines and how the people behind this threat possibly profit.

    My analysis focused particularly on the app “Solar Change”. This Android app (detected as ANDROIDOS_CONTACTS.E) was found to gather contact information such as email address from the infected device. The perpetrators behind apps may then pedal these gathered data to potential attackers and spammers.

    When users install the app, it shows the list of permissions that it requests. However, a closer look into these permissions reveal that the app also request for the contact details and list of accounts stored in the device.

    Read the rest of this entry »


    We were alerted in July 2012 about malicious apps that we detect as ANDROIDOS_CONTACTS.E. We investigated the related spam, which arrives on the mobile device. What is noteworthy about this threat is that the spam were distributed not only to smartphones, but also to feature phones as well.

    This indicates that the spammers may have carried out indiscriminate attacks targeting the email addresses provided by telecommunication carriers.

    In Japan, this carrier email address is popular among mobile users since this email address can be accessed on both mobile devices and systems. Also, each telecommunications carrier provides a service that blocks spam mails. This feature may have resulted to users being complacent when it comes to the security of their carrier email addresses.

    Spammers understand users’ tendency to be too trusting, thus they distributed these spam to carrier email addresses to increase their attack’s success.

    So far, we can categorize the URLs in these spam into three types:

    • URLs that directly lead to download an APK package of Android app
    • URLs that lead to a malicious web page disguised as a legitimate app market store
    • Shortened URLs

    Let’s focus on the 3rd type of URL. When users click the shortened URL, they are lead to a webpage set up by the spammer or their partners. In this scenario, it is possible that it may either lead to the downloading an APK package or to a web page disguised as a legitimate app store.

    Why do spammers leverage this shortened URL service? Users find it difficult to double check the complete URL based on the shortened URL, thus the higher rate of users inadvertently clicking a malicious link. Furthermore, some shortened URL services can count user clicks in real-time. So if a particular link had less clicks, spammers can use a different shortened link which had more clicks in their future spam run.

    Now, let’s focus on those URLs that lead users to a spoofed app store. We found the app “Power Charge”, also detected as ANDROIDOS_CONTACTS.E, which is supposedly an app that charges by using solar light.

    Read the rest of this entry »

    Posted in Mobile | Comments Off on Spam Trick Users to Download ANDROIDOS_CONTACTS.E


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice