Video Screencast Help
Security Response

Anime Character Anaru Exploited to Help Steal Android Contact Details

Created: 27 Jul 2012 11:19:26 GMT • Updated: 23 Jan 2014 18:13:43 GMT • Translations available: 日本語
Joji Hamada's picture
0 0 Votes
Login to vote

Earlier in the week, I blogged about Android.Ackposts that is a malware used to harvest email accounts on compromised devices and in the blog I mentioned that malware targeting contact data on smartphones is becoming a popular trend. Discovery of Android.Maistealer again confirms our view, and users really need to be careful when apps ask for permission to read contact data.

The installation of Android.Maistealer requests the following permissions:

The key permission here is “Your personal information—read contact data.” This permission allows contact details stored in the phone’s contacts to be read, but this app has absolutely no legitimate reason to request this. “Storage” is also requested so that the app can temporarily store the acquired data on the SD card and “Network communication” is used to upload the data. Many apps require these two permissions, so it can be difficult to determine if clean apps really need them or not.

Android.Maistealer was submitted by one individual to Symantec for analysis, but does not appear to be wide-spread. It could actually have been created for experimental purposes or maybe just for fun, and no one might have ever installed it to date. While the app steals contact details, it also works as advertised. The app allows users to wiggle the character’s breasts when they are touched on the screen. The character looks to be the famous Anime character named Naruko "Anaru" Anjō from the show “Anohana: The Flower We Saw That Day” which has been superimposed to appear topless. It is difficult to spot any malicious intent by the app if the permissions during installation are neglected.

The app is hosted on a dedicated website though it may be available elsewhere. The site has no visual content and only contains a few files and folders that can be viewed in an index. The stolen data is uploaded to the same site as well. The index is very basic as you can see below. Livewall1.apk is the malicious app, rv.php is the file that is used to collect the uploaded data, and info.php just contains details about the current state of the PHP settings on the server. Folders with dates used as folder names store the uploaded personal data.

Data for each exfiltration is contained in a text file saved under the folders mentioned above and looks like the following:

At the time of writing, the only contact details uploaded to the site that I can confirm are the dummy data that I created on a test device to run the app.

The site’s domain is registered to an individual who owns several other domains. It appears he has registered using fake details, such as a mailing address, which does not exist and a telephone number that is not in use at the moment. I am not sure what he is up to, but I am sure he is up to no good.

This particular app may not be prevalent at all, but is a good example of how easily apps like this can be created. And many are being creating and distributed that have resulted in many users being victimized. As I stated earlier, apps targeting contact data is on the rise. I cannot stress enough that checking permissions during installation is important. Once installed, it not only are you affected, but all your friends and family whose details are stored in the phone’s Contacts are also affected.

Users need to be wary when installing apps: it is often safer to stick with established and trusted app markets to download from. I also recommend using a security app, such as Norton Mobile Security, to help protect your device.