Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Big Poker Player Loses High-Stakes Android Scam Game

Created: 25 Jul 2013 12:25:33 GMT • Updated: 23 Jan 2014 18:05:07 GMT • Translations available: 日本語
Joji Hamada's picture
+1 1 Vote
Login to vote

poker_player_concept.png

Earlier this week, the Chiba Prefectural Police in Japan arrested nine individuals for distributing spam that included emails with links to download Android.Enesoluty - a malware used to collect contact details stored on the owner’s device. The arrested men include Masaaki Kagawa, the 50-year-old president of the Koei Planning, an IT firm located in Shibuya, Tokyo. He is also apparently known as an avid poker player who participates in poker tournaments worldwide and has earned over a million US dollars in these competitions. He appears to be the main player running the operation. His passion for taking chances and risks has paid off in the game of Poker, but it’s not looking good for his gambling with Android malware. Kagawa and his associates now await a likely prosecution.

From our observations, the operation began around September, 2012 and ended in April, 2013 when authorities raided the company office. We confirmed around 150 domains were registered to host the malicious apps during this time span. According to media reports, the group was able to collect approximately 37 million email addresses from around 810,000 Android devices. The company earned over 390 million yen (approximately 3.9 million US dollars) by running a fake online dating service called Sakura site in the last five months of the spam operation. Spam used to lure victims to the dating site was sent to the addresses collected by the malware.

Symantec has closely followed the Enesoluty scam since July, 2012. Details of events can be found in the following blogs:

We also believe Android.Maistealer and Android.Enesoluty share common source code with another malware, called Android.Uracto, and that a different group of scammers were maintaining the latter, as the distribution strategy of the malware differs considerably. It is believed that this other group has yet to be identified, so there will probably be another few twists and turns to this story in the future. Details of the scams performed by Android.Uracto can be found in the following two blogs:

To conclude this blog, we would like to commend the Chiba Prefectural Police for making this arrest. Symantec has been working in cooperation with the investigators to make this arrest happen and will continue to assist in the prosecution and sentencing of the criminals as needed.