“Movie” apps from Google Play forged to steal informations

Over the weekend, a number of 29 malicious apps on the android market that are designed to steal personal informations were identified on the Google Play market.

Symantec engineers said that the infected apps were downloaded and installed by more than 70,000 mobile users with Android powered devices.

Taking into consideration that a normal mobile user has about 50 contacts with informations about them in his gadget, we can say that some millions of names, phone numbers and even emails are now in the hands of the malicious apps developers.

“The apps share common programming code so we can assume it is a sole individual or an organization who is committing the crime,” told the researchers. “The very first app we confirmed appeared on Google Play around February 10 and more followed until late March.”

“Originally the apps posted were not game related, but were random ones including apps of an erotic nature, a contact management app, a recipe app, and a diet assistant app to name a few. But the number of downloads were low. Then in late March, a bunch of apps with names ending in “the Movie” were out there on the market. These apps caught the attention of a large number of users who installed them.”

The apps we are talking about targeted mostly asian, Japanese users, and asked for three permissions:

Well, the first permission looks legit in order to watch a movie but the next two are not needed for an app that would only show a movie. Bad news for the users that installed the apps: their contacts and their Android ID and phone number are sent to a remote server and after that the download of the movie begins and if succesful it will play. If the app is not able to extract the data from the user’s device it just sends a notification that the video did not load.

“The purpose of this attack is not clear; however, a strong assumption is that the scammers are harvesting emails addresses and phone numbers to use for their next round of malicious activities, such as spamming scams by email or calling individuals to attempt to defraud them,” the engineers told.

“It is interesting to note that these apps post the personal data to a hosting server known to distribute Android.Oneclickfraudvariants,” the researchers add. “The information thatAndroid.Oneclickfraud attempts to steal is also exfiltrated to the same server. Could it be a coincidence here or is there some relationship between the two malware?”

For the moment, the apps are not banned from Google Play. Taking into consideration that some of the apps are available on the market for some time now and Google did not ban them, we advise the users to double check anything they want to download from Google Play and make some researches before installing the apps.

As a hint, the app we are talking about did not have the same name after installing on the device as it had on Google Play.