Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.Rico says you've been warned...
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server; SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called Find and Call and can be found in both the Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google, but haven’t received an answer yet.
All user comments (both in the Apple Store and Google Play) are pretty angry and contain the same complaint, that the app sends SMS spam.If the user launches this application, he will be asked to register using his email address and cell phone number (both fields won’t be checked for validity). If user wants to ‘find friends in a phone book’ his phone book data will be secretly (no EULA/ terms of usage/notifications) uploaded to a remote server.
Both apps are also able to upload user’s GPS coordinates to the same server but such ‘feature’ is not that new for both malicious and legal apps to be honest.
So, what happens next? User will be able to continue using the application but at the same time the application steals data from the device (phone book and cell phone numbers) which are uploaded to a remote server to be used for SMS spam campaigns. Each phone book entry will receive SMS spam message offering to click on the URL and download this ‘Find and Call’ application. It is worth mentioning that the ‘from’ field contains the user’s cell phone number. In other words, people will receive an SMS spam message from a trusted source.
1. Are these apps malicious? Yes.
2. Why? Both apps upload user’s phone book to remote server and use it for SMS spam. That’s why we detect them as Trojan.
3. Who created them? Good question. There are actually some more interesting details. The website of this app allows you (after logging in to your account) to ‘enter’ your social network accounts, mail accounts (it seems that these details will also be used) and even PayPal to add money to your account.
If you try to add some amount of money, you will notice that you’re trying to transfer money to a company called ‘LABWEALTH.COM PTE. LTD.’ If you try to add some amount of money, you will notice that you’re trying to transfer money to a company called ‘LABWEALTH.COM PTE. LTD.’If you check their website, 'labwealth.com', you’ll find a company based in Singapore named 'Wealth Creation Laboratory'. Yeah, right! This company, by the way, has really nice motto: 'Let's create together the world of plenty and prosperity!'
Malware in Google Play is nothing new, but it’s the first case that we’ve seen malware in the App Store. It is worth mentioning that there have not been any incidents of malware inside the App Store since its launch five years ago. But the main issue here is the user’s privacy again. It’s not for the first time when we see incidents related to user’s personal data and its leakage. And it’s for the first time when we have confirmed case of malicious usage of such data.
We’re sure that both applications must be deleted from the official markets. Yes, these pieces of malware are not that ‘cybercriminalistic’. But malware is malware and, in this case, it steals the user’s phone book and uses it for SMS spam. And we’re sure that there must be strict and quick response to such incidents. Period.
Both apps were subsequently removed from the Apple Store and Google Play.
06 July 2012
Malware from Russia? Not a surprise
Kaspersky has an article in SecureList.com about the latest, in a bad place:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment