In many ways, Japan is a canary in a mine when it comes to mobile malware as the number of apps that relate to privacy and security concerns (including the first mobile malware to be used in an extortion racket) continues to increase at an alarming rate. Since the beginning of the year, the number of new threats targeting Japanese users on the Android platform has increased by 200% when compared to the same period last year.
Figure 1. Increase in malware targeting Japanese Android devices
However, unlike threats where the goal is monetary gain or where privacy concerns exist, Japan has also seen its share of bizarre malware. Yet another piece of malware that can only be described as ‘bizarre’ has been discovered by Symantec.
Android.Kabstamper is a Trojan horse that was embedded in a fan news app for the immensely popular girl band in Japan called ‘AKB48’. Based on our analysis so far, Android devices that were most likely to be infected were those on which users downloaded apps from third party markets attempting to track what some people are calling the biggest event of the year in Japan: the annual AKB48 elections. The only functionality of the app is to destroy images stored on a device. It does this by superimposing an image over any images that are stored on the device.
Figure 2. An example of how the threat superimposes an image onto images found on the compromised device
It appears that the original app that was modified in this malicious fashion was on the official Google Play site but was removed or suspended. We don’t believe the suspension was related to the presence of a Trojan program, nor do we believe that the app was capable of doing any harm to image storage. Based on the time difference between the app disappearing from Google Play and the threat appearing in the wild (just days ahead of the AKB48 elections), it is most likely that the app was modified recently from a pirated version of the app.
We are still investigating the possibility that this threat was a modified version of a threat that we have seen in the recent past; possibly as a result of code re-use, or there could be a toolkit that is being used to generate these image injection apps. We will update you with any additional findings that we uncover.