Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Android.CoolPaperLeak—Million Download Baby

Created: 08 Jan 2013 12:12:56 GMT • Updated: 23 Jan 2014 18:10:34 GMT • Translations available: 日本語
Lionel Payet's picture
+2 2 Votes
Login to vote

Contributor: Cathal Mullaney

While the use of erotic images to entice users to infect their computer with malware and security risks is nothing new, Symantec recently discovered three apps that pose a security risk (using this carrot and stick technique) available on Google Play that have accumulated between 500,000 and 1,500,000 downloads between them.

The apps in question, "Porn Sexy Models Wallpaper", "Porn Sexy Girls Live Wallpaper", and "Sexy Girls Ass Live Wallpaper", have since been removed from Google Play.

Figure 1. Screenshot of the security risks on Google Play

After a thorough investigation, we can confirm that all three apps (from the same developer) were not a modified version of a genuine and safe app, but were a risk from the beginning. Symantec detects the apps as Android.Coolpaperleak.

Let's have a look at the 'Porn Sexy Model Wallpapers' Android application.

Once the application is downloaded and installed onto the device, a new shortcut is created under the phone's application settings.

Figure 2. Application icon

Once the user launches the application, the app initializes its connection to a remote server. The application then runs a phone identification function, which extracts the following information from the device:

  • Application name
  • Google email address
  • GPS Latitude and Longitude
  • IMEI number of the handset
  • Network operator information

The application then crafts an HTTP post string using the above information, and transmits it to a remote command-and-control (C&C) server along with a request for the server to contact the following location:
[http://]host1.TUINATA.COM/getur[REMOVED]
 

Communication with the C&C server

All data exchanges between the C&C server and the compromised devices have the type of format seen in Figure 3.

Figure 3. Screen capture of stolen information

The compromised device will send a post containing information identifying the handset and a 'req' field for the data that it needs from the C&C server. The remote server will then reply with an 'ans' field to the Trojan's request. In the above screenshot, we can see the application requesting a server parameter from the C&C server in the form: "req=server". The server will then respond with an answer field in the form: "ans=http://farm.tak[REMOVED]kata.com/geturl.asp"

Some extra data may also be transmitted from the device, depending on the type of request received from the server. Communication between the C&C server and the compromised device continues in this manner, consistently transmitting the sensitive information in each HTTP post until the following two requests are received by the device:

  • Req=ua
  • Req=imagearray

At this point the threat receives a number of URLs from the remote server, which serve as the application's gallery (Figure 4).

Figure 4. Gallery confirmed

The threat will then access a number of different advertisement servers and visit a number of retrieved advertisements, without displaying the resulting output to the user. The application then loads the first gallery image, displaying a small advertisement to the user (but many more are being accessed in the background) as can be seen in Figure 5.

Figure 5. Image with a small advertisement

Note: The app requests the GET_ACCOUNTS Android permission, which allows it to enumerate configured accounts. This does not mean that the user agrees to have account names leaked. Most apps request this permission to see if they can connect the user to some service. However, at no time would a legitimate app actually send the user's account name to its own server.

Finally, let's examine some potential reasons why these type of apps generate so many downloads.
 

The theme and the targeted audience

The erotic and porn industries are the most browsed on the Internet. Officially, strictly targeting an adult audience, but it can easily be accessed by other groups.

Since the smartphone market is in a constant state of growth, people figured out that you don't need to be a visionary to write a successful smartphone application. If you just combine the most downloaded type of apps (wallpapers) with the erotic and porn industries, you will have in your hands the perfect chemistry for a top download application in no time.

Even though Google is very explicit in their guidelines about adult apps: "Your application shouldn't contain content that displays (via text, images, video, or other media) or links to Pornography, obscenity, nudity, or sexual activity", this will not prevent developers from finding ways to circumvent controls either by distributing their apps through other channels or by hiding their true content.

The apps referenced in this blog are good examples of this circumvention. The pictures displayed on the Google Play page are acceptable and their description too. But once you browse the wallpapers within the apps, you will find a complete set of pornographic pictures.
 

Unprotected users

Believe it or not but there is still a large number of smartphone users that do not have security software installed on their phone or tablets, and so malicious applications and security risks are running rampant without being noticed. The more detection hits we have, the less chances there are that a malicious application or security risk can live long and prosper on the official market.

Users who have Norton Mobile Security installed on their Android phones are fully protected against this threat.

At least Norton Mobile Security is more successful than the erotic's apps on Google Play, with a five star rating (81,000 votes) and between 5,000,000 and 10,000,000 installations.