Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Android.Exprespam Authors Revamp Gcogle Play to Android Express’s Play

Created: 14 Jan 2013 17:00:37 GMT • Updated: 23 Jan 2014 18:10:22 GMT • Translations available: 日本語
Joji Hamada's picture
+3 3 Votes
Login to vote

When Android.Exprespam was discovered earlier this month, we quickly posted a blog warning users about the malware and discussing the details of the attack. Word spread quickly as the media, as well as the local authorities, pushed the news out to a wide audience. It seems like the scammers thought the news had reached enough people and that it was time they updated the malware and the fake market in order to start their attack afresh with new content that people are not familiar with.

The new fake market is called ANDROID EXPRESS’s PLAY (ANDROID EXPRESSのPLAY in Japanese). According to the site, it is maintained by Gcogle.

Figure 1. App page showing the name of the fake Google Play site

The domain name for the market was registered on January 7, which coincidently is the date when our blog was published. The signature of the malicious Android app is signed to be valid from January 9, 2013.

The scam, as in the past, starts off with spam emails that look like a newsletter advertising Android apps. An example email can be seen in Figure 2 below. It is worth noting that the content of the spam varies and could be updated at any time.

Figure 2. Example of a spam email

The new lineup of non-existing apps the scammers have prepared are listed in the table below.  They include some new interesting types of app such as a spam blocker, a TV viewer for phones that do not have a TV function, a database for recipes from famous chefs, and a battery discharger app.

Figure 3. Example app page from fake market

Ultimately, attempting to download any of the nine apps leads to the same malicious app called Android 専用端末アプ. Once the malicious app is executed, personal information, including the device’s phone number and the names and email addresses stored in Contacts, is uploaded to a remote location.

This group of scammers does not seem to want to go away any time soon, so we may have to continue to play this cat-and-mouse game with them for a while. We are also aware of at least two more similar scams currently targeting Japanese Android users (Android.Enesoluty and Android.Ecobatry) although these have not updated their content on the fake market sites. 

To stay protected, please refrain from clicking on links in emails from unknown senders and do not download apps from untrusted vendors. Users who have Symantec’s security apps, such as Norton Mobile Security or Symantec Mobile Security, are protected from this threat–detected as Android.Exprespam. For general safety tips for smartphones and tablets, please visit our Mobile Security website.

Update [January 17, 2012] - The malware authors have since removed all reference to "Gcogle" and are now referring to themselves as ANDROID EXPRESS. It is interesting to see how this cat-and-mouse game is playing out. We are continually monitoring their movements to keep our customers protected.

Figure 4. Reference to "Gcogle" has now been removed