Users who download pirated Android apps rather than paying for the legitimate versions on the Android Market may get called out by a high-minded Android Trojan.
An Android application
is masquerading as a malicious program to teach phone owners the perils of
downloading pirated software from third-party markets or file-sharing sites.
The offending
application touts itself as a nonexistent version of a legitimate application
Walk and Text currently available on the Android Market, Symantec researcher
Irfan Asrar wrote on the company's Symantec Connect blog on March 30. Walk and
Text v. 1.3.7 can be found on several "renowned file-sharing Websites"
throughout North America and Asia, he said. Symantec has identified this mobile
Trojan as Android.Walkinwat.
The mobile application
doesn't take control of the Android device nor does it compromise user data in
any permanent way, but it does collect personal information, such as names,
phone numbers and IMEI information, Irfan said. The entire purpose of
Android.Walkinwat is to catch and embarrass individuals who download pirated
Android applications rather than paying for the legitimate version from the
Android Market, Asrar said.
Once
downloaded, Walkinwat (v1.3.7) collects sensitive personal data as if it's
going to send it to an external server. At this point, the user sees a screen
that reads "Processing...Cracking..." followed by a dialog box with a scolding
message.
"Application
Not Licensed. We really hope you learned something from this. Check your phone
bill :) Oh and don't forget to buy the App from the Market," reads the message,
with a link to the Android Market.
The Trojan
tries to upload the collected information to an external server, but Symantec
researchers were unable to verify whether the data was actually sent each time,
John Engels, principle product manager of the Enterprise Mobility at Symantec,
told eWEEK. "However, the fact of the matter is that it does try to send this
personal information up to a server, and we should assume it's been successful
with the uploads," he said.
The application
is not done with the user yet, as it then sends everyone in the contacts list
an embarrassing SMS message: "Hey, just downloaded a pirated App off
Internet, Walk and Text for Android. Im stupid and cheap, it costed only 1
buck. Don't steal like I did!"
Although
Symantec discovered this Trojan horse on March 30, it appears to have made an
appearance in February. A user posted a download link, MD5 hash of the file and
a QD code to download Walk and Text 1.3.6 under a forum thread titled "Walk and
Text v1.3.6" on Mobilism, a user-powered database of applications,
games, movies and books for all mobile platforms.
Later in the
thread, mirror links for v.1.3.7 (which doesn't exist) were posted, but
identified by other users as being fraudulent. The Mobilism users seemed to be
under the impression that the fake version of Walk and Text also came from
Incorporate Apps, the original developers of the real application. It's not
clear that's the case, as the developers requested in the same thread that
these links be removed and for users to just buy the software legitimately.
Asrar
speculated that the application was intentionally spread by the developers to
maximize the number of people who see the anti-piracy message or that the
developers were trying to undermine the true creators.
Whoever that
is, that person has all the phone information of people who've downloaded the
Trojan. The implication of that information falling into the wrong hands is a
more than little worrying.
"Android.Walkinwat
is the first mobile-phone threat discovered in the wild that attempts to
discipline users that download files illegally from unauthorized sites," wrote
Symantec's Asrar on the blog.
Ironically,
the malware developers took steps to ensure Android.Walkinwat can't be pirated.
The Trojan employs a routine built into the Licensing Verification Library on
the Android platform to help prevent piracy and the developers obfuscated the
code, Asrar said.
The latest and
legitimate version of Walk and Text on the Android Market is currently
v1.5.3.
Email
Print
