Android Malware Promises Video While Stealing Contacts

By on

Recently we discovered a new Android Trojan in the official Google Play market that displays a video downloaded from the Internet–but only if some sensitive information is previously sent to a remote server. The malicious applications are designed for Japanese users and display “trailers” of upcoming video games for Android. Here’s one example:

Or anime/adult Japanese videos:

When the application is about to be installed, two suspicious permissions–read contact data and read phone state and identity–are requested. Neither is needed for the principal purpose of the application, which is to display a video from the Internet. The reason for these requests becomes clear because the first action that the malware takes when it executes is to obtain, in the background, the following sensitive information from the device without the user’s consent:

  • Android ID: Unlike most Android malware and PUPs (potentially unwanted programs) that gather the IMEI to uniquely identify a device, this malicious application obtains the android_id which according to the Android API is a “64-bit number that is randomly generated on the device’s first boot and should remain constant for the lifetime of the device.”
  • Phone number: Obtains the phone number of the device. READ_PHONE_STATE permission is required to gather this information.
  • Contact List: Gets the name, telephone number, and email of every person in the contact list.

While the data is harvested, the victim sees this “loading” message:

Once the information is obtained, the malicious application sends it to a remote server in clear text:

If the data was sent successfully, the application requests a specific video to the same server and displays it using a VideoView component. If the malware fails at its background theft (for example, the device does not have an Internet connection), a message in Japanese says that an error has occurred and the video has not loaded:

So far we have discovered 15 applications from two developers that, according to Google Play statistics, have been downloaded by at least 70,000 users. Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market. McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.

Categories: McAfee Labs
Tags: ,

Leave a Comment

Similar articles

Analytics 101

By on
From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions. Distinguishing ...
Read Blog
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim's contact list. What's more, the author of the Cerberus ...
Read Blog
5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions ...
Read Blog