Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Android Malware Spams Victim’s Contacts

Created: 18 Mar 2013 10:59:34 GMT • Updated: 23 Jan 2014 18:08:58 GMT • Translations available: 日本語
Joji Hamada's picture
0 0 Votes
Login to vote

SMS messages attempting to lure Android device owners to download an app that supposedly allows the camera on the device to see through clothes are circulating in Japan. This type of spam is usually sent by the malware authors themselves, but in this case the authors have developed an app to send the spam messages by SMS to phone numbers stored in the device’s Contacts. This allows the recipients of the spam to be tricked easier because the invitation to download the app is coming from someone they know rather than from an unknown sender. If a friend is recommending an app, why would you not at least try it out, right?

Figure 1. SMS message sent from a person whose device is compromised

The site where the link takes the user to introduces an app called Infrared X-Ray that supposedly allows the user to see through clothes when viewed through the device’s camera and of course also allows pictures to be taken.

Figure 2. Screenshot of the page hosting the malicious app

Once the app is executed, details stored in the device’s Contacts are uploaded to a predetermined server.  Not surprisingly, the app does not work as per advertised and a picture of man holding up his middle finger stating that the victim is a pervert is displayed.

Figure 3. “You pervert!”

We have also confirmed that several variants of this app exist and the latest variants have added an interesting payload: rather than sending SMS messages to the victim’s friends and family, the ultimate goal is to scam the victim with something similar to what is called “one-click fraud” in Japan. While the contact data is being stolen and sent to the malware author, the new variants also download and display registration details for a website hosting adult content. The app no longer attempts to turn the camera on like it did previously. Instead, it displays a splash screen for a second or two before displaying a message stating that registration has completed and the victim is asked pay 29,000 yen for the “service”.

Figure 4. Registration details

The app also sends SMS messages detailing the payment. The malware author threatens to contact people found in the victim’s contacts list if the victim doesn’t pay for the “service”. The app continuously displays the registration details and sends SMS messages to the victim’s contacts until the app is uninstalled. In order to make it difficult for the victim to uninstall the app, it removes itself from the launcher after it is initially executed, although it can be removed in Applications under Settings.

Figure 5. SMS message explaining payment details

To stay protected, refrain from clicking links found in messages such as emails and SMS messages from unknown senders as well as suspicious messages from known senders. Furthermore, only download apps from trustworthy vendors. Users who have installed one of Symantec’s security apps, Norton Mobile Security or Symantec Mobile Security, are protected from this threat, which is detected as Android.Uracto. For more general safety tips for smartphones and tablets, please visit our Mobile Security website.