Update, December 5
The developer of the app Machin Chat has contacted McAfee and reported that the collection of phone numbers was inadvertent and that they have no malicious intent. We have verified that updated code no longer collects phone numbers. The updated app is available on Google Play. (Older versions of the app have not been fixed.) McAfee has removed detection of the new app because it no longer poses a security risk.
Figure 1: Two suspicious chat applications found on Google Play Japan.
Figure 2: The app’s description page emphasizes “Registration Not Required.”
Despite the developer’s claim that registration is “not required” on Google Play’s description page, the phone number of the device is sent to a remote web server managed by the developer once the user tries to connect to the chat service, and with no notice. The retrieved phone number is actually encrypted before sending, but it is apparent that the developer can decrypt the data later on the server.
We do not know whether the developer will use these phone numbers for malicious purposes, but gathering such sensitive information without a user’s knowledge is a big problem. We can also assume the developer is deceiving or at least misleading users. Finally, the chat service does not appear to work, at least in our research. Fortunately, we count fewer than several hundred downloads of these two applications.
Figure 3: When users tap the button on this chat screen, their phone numbers are secretly sent to the developer.
McAfee Mobile Security detects these suspicious applications as Android/ChatLeaker.A.