Video Screencast Help
Security Response

Android Threat Tackles Piracy Using Austere Justice Measures

Created: 30 Mar 2011 22:55:17 GMT • Updated: 23 Jan 2014 18:21:51 GMT • Translations available: 日本語
Irfan Asrar's picture
+3 5 Votes
Login to vote

Android.Walkinwat is the first mobile phone threat discovered in the wild that attempts to discipline users that download files illegally from unauthorized sites.

Figure 1 – Messages displayed by the Trojan

Presented as a non-existent version (V 1.3.7) of Walk and Text, an application that is available on the Android Market, Android.Walkinwat can be found on several renowned file sharing websites throughout North America and Asia. One could make the case that this app was intentionally spread in these regions by the creators of the threat in order to maximize the download prevalence and convey their message to as large an audience as possible, however one could also make the case the creator of Android.Walkinwat is attempting to undermine the publisher of Walk and Text.

Once running the app, the user is presented with a dialog box that gives the appearance that the app is in the process of being compromised or cracked, when in fact, the app is gathering and attempting to send back sensitive data (name, phone number, IMEI information, etc.) to an external server.

Figure 2 – What happens in the background

Additionally, the app sends out the following SMS messages to all the contacts in the contact list:

Figure 3 – SMS message sent to all contacts in the contact list

Interestingly enough, the Trojan performs the above set of actions in a routine of Android.Walkinwat called “LicenseCheck”, something traditionally used by legitimate apps for license management in conjunction with a Licensing Verification Library available for the Android platform to help prevent piracy. The authors of the malicious code have taken an extra step to make sure that their app was obfuscated, which is another recommended measure to prevent piracy.

Figure 4 – The LicensingService and LicenseCheck routines

The app concludes with a final message to the user, reminding them to check their phone bill, as well as providing an option of buying the legitimate version of the app from the Android App market.

Figure 5 – Final message displayed by the threat

Although this isn’t the first case of disciplinary justice being used as means to send a message against piracy, this is the first of its kind discovered on the mobile landscape.