Symantec has identified new malware targeting Google Android devices that collects personal data.
The malware, detected as Android.Exprespam, is spread through the spamming of links to fake Google Play pages. These pages are hosted on a server located in Washington.
“It is worth noting that the site actually calls itself Gcogle Play,” blogged Symantec threat analyst Joji Hamada. “The domain for the website was registered on December 27 and the malicious APK file contains a signature valid from January 2.”
“We have confirmed nine different app pages on this site, although the downloaded app is the same in each case,” according to Hamada. “A couple of the fake app pages resemble the type of fake tools used by older malware, but most are new types of fake tools. The scammers have made available a variety of apps in the hope that it increases the chances of the apps being installed. This is a distinct ramping up of activities as older malware masqueraded at most as three apps on a site simultaneously.”
The installation screen displays the permissions the malware requests, which include access to personal information, the phone state and identity and account information. Legitimate applications generally do not request these permissions, the researcher noted.
“Once installed and opened, the malware informs the user that the app is incompatible with the device,” Hamada noted. “However, personal data is sent surreptitiously to a server.”
Unlike other types of malware, it uses Secure Sockets Layer (SSL) protocol to upload the information that it steals so that it is encrypted.
“So why would the creators go out of their way to do encrypt the stolen information? It is only speculation on my part but perhaps it may be in order to make it look like they were taking measures to protect the collected data in the same manner as a responsible business,” the researcher blogged. “It is possible that the malware author(s) may use this in their defense if they are ever arrested.”
Hamada urged consumers to think twice before clicking on links in emails they receive from unknown sources.