• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   “Free” Apps In Chinese App Stores Put Users At Risk

“Free” Apps In Chinese App Stores Put Users At Risk

  • Posted on:March 16, 2015 at 5:51 pm
  • Posted in:Malware, Mobile
  • Author:
    Veo Zhang (Mobile Threats Analyst)
0

Recently, we have noticed large numbers of repackaged Android apps showing up in Chinese app stores. While these apps pretend to be “free”, in the end they cost the users time and money: they are either shown various ads or they are subscribed to various premium SMS numbers. (Note that these apps were not found in the official Google Play store.)

Two channels are at work here. First, foreign apps that have been localized or repackaged by Chinese companies and used for various schemes. Secondly, paid/premium apps can be repackaged by pirates to produce a “free” version that contains ads or other added code. In either case, there is a risk that the repackaged code may be malicious.

In the first case, local Chinese companies have been contracted by the original developers to localize apps for the Chinese market. This includes translation, as well as changing payment methods to those used in the Chinese market. However, unscrupulous companies may add their own code at this stage to add advertisements and collect money from users via SMS numbers.

These advertisements collect the user’s location, phone model, and other installed apps without explicitly getting the user’s permission. The apps may also be designed so that in some circumstances, users may “accidentally” click on the button which sends an SMS payment. Payment notices may also be intercepted, as seen in the following code:

Figure 1. Code intercepting payment notice text messages

In the second case, pirates (either individuals or companies) crack paid apps, add their code, and distribute them via major Chinese app stores. Using commercials and fake downloads, these repackaged apps reach the top lists of these app stores, with millions of downloads.

Figure 2. repackaged version of Minecraft with 52 thousand downloads per week

These apps contain display multiple advertisements when they are launched, and trying to close them just leads to download another app with even more advertisements. We even found spyware pushed as a security app; this particular app required root privileges and a result it is not easy to remove. (The screenshot below shows an ad for one of these spyware apps.)

Figure 3. Ads at app startup that lead to other risky apps

Figure 4. App permissions requested by app installed by ad in Figure 3

Apps being used to promote various scams are also a widespread problem. This malicious app repackaged the original Monument Valley game with an advertisement library; in addition it randomly pushes scams messages to users, which lead them to further phone scams.

Figure 5. repackaged Monument Valley, with 520 thousand downloads

This app displays advertisements via system notifications that leads to a website at hxxp://abcdefg2.jjzl.com.cn/tmall3_daigou/ip6.php. This site contains offers for the user to purchase iPhones and other mobile devices for approximately $100 cash on delivery. The user is asked to enter his name, phone number, and shipping address. There is at least one known case where the victim was later called and asked to pay a “prepaid shipping fee.”

Acquiring this personal information is the goal of this scam. which is detected as ANDROIDOS_SCAMAD.HBT. The user is at risk of receiving more fraudulent calls, unless they change their phone number.

Figure 6. App notification for iPhones being sold

Figure 7. Website gathering user information

The above screenshot shows some of the items for sale (different variants of the iPhone 5S); the next three fields are where the user would enter their personal information before clicking one of the buttons below, which would submit the information to the attacker.

The malicious apps in this post are mostly gathered from the top app lists of some major Chinese app stores. These top lists contain many repackaged apps, which pose serious risks to users. Users – particularly those in China – should be careful about downloading these apps. Last year, we discussed the threats of repackaged apps in a white paper titled Fake Apps: Feigning Legitimacy. Trend Micro Mobile Security protects users against these threats by scanning apps that are installed onto the device.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidMalwareMobilethird-party app store

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.