Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Android.Uracto Used to Trick Mothers, Anime Fans, Gamers, and More

Created: 18 Mar 2013 16:45:32 GMT • Updated: 23 Jan 2014 18:08:56 GMT • Translations available: 日本語
Joji Hamada's picture
+1 1 Vote
Login to vote

Earlier today, we blogged about Android.Uracto, a malicious app that sends spam SMS messages in an attempt to infect others or scam users into paying a fee for a non-existing service. We continued doing further investigation on the attack and this has led us to discover more apps prepared by the same group of scammers. So far we have been able to find a total of 10 apps hosted on a few dedicated domains believed to be maintained by the group. The servers hosting the domains appear to be located in Singapore and in Georgia in the United States. They are currently still live at the time of this writing.
 

Figure 1. Market pages for the 10 apps
 

Though the apps look different in appearance, they can basically be broken down into three main variants. One steals data stored in the device’s Contacts. The second also steals contact details but also sends SMS messages, containing a link to download the malicious app, to all the contacts. The third one steals contact details and attempts to scam the victim into paying for fake services.

The type of apps include apps for mothers raising kids, video game emulators, apps allowing users to read comics for free, apps to read celebrity gossip, a fortunate teller app, adult-related video viewer, and an app that claims to allow the device’s camera to see through clothes.
 

Figure 2. Icons of the 10 apps
 

It’s unknown at this point how the Android device’s owners are lured to the sites. The sites are reachable by surfing the net, but spam could potentially be used as this is a common way to lure people into downloading Android threats in Japan.

It appears that some of the apps may have been around a while. Some of the directory lists of the servers hosting the apps indicate that the apps were hosted on the server as early as July 2012.
 

android uracto.png
Figure 3. Directory lists of the servers hosting the apps
 

One other interesting point to note is that Android.Uracto shares common code with Android.Enesoluty, which is still very much active in the wild, and Android Maistealer as well. We believe Android.Maistealer was created as the prototype for Android.Enesoluty. You can read the following blogs to find out more about this:

Could these malicious apps be maintained by the same group of scammers or was the same developer hired to create malware for two different groups? We’ll continue to investigate this and hope to give you an update at a later date.