Android Trojan Displays Anti-Piracy PSA While Stealing Phone Data
An Android application is masquerading as a malicious program to teach phone owners the perils of downloading pirated software from third-party markets or file-sharing sites.
The offending application touts itself as a nonexistent version of a legitimate application Walk and Text currently available on the Android Market, Symantec researcher Irfan Asrar wrote on the company's Symantec Connect blog on March 30. Walk and Text v. 1.3.7 can be found on several "renowned file-sharing Websites" throughout North America and Asia, he said. Symantec has identified this mobile Trojan as Android.Walkinwat.
The mobile application doesn't take control of the Android device nor does it compromise user data in any permanent way, but it does collect personal information, such as names, phone numbers and IMEI information, Irfan said. The entire purpose of Android.Walkinwat is to catch and embarrass individuals who download pirated Android applications rather than paying for the legitimate version from the Android Market, Asrar said.
Once downloaded, Walkinwat (v1.3.7) collects sensitive personal data as if it's going to send it to an external server. At this point, the user sees a screen that reads "Processing...Cracking..." followed by a dialog box with a scolding message.
"Application Not Licensed. We really hope you learned something from this. Check your phone bill :) Oh and don't forget to buy the App from the Market," reads the message, with a link to the Android Market.
The Trojan tries to upload the collected information to an external server, but Symantec researchers were unable to verify whether the data was actually sent each time, John Engels, principle product manager of the Enterprise Mobility at Symantec, told eWEEK. "However, the fact of the matter is that it does try to send this personal information up to a server, and we should assume it's been successful with the uploads," he said.
The application is not done with the user yet, as it then sends everyone in the contacts list an embarrassing SMS message: "Hey, just downloaded a pirated App off Internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck. Don't steal like I did!"
Although Symantec discovered this Trojan horse on March 30, it appears to have made an appearance in February. A user posted a download link, MD5 hash of the file and a QD code to download Walk and Text 1.3.6 under a forum thread titled "Walk and Text v1.3.6" on Mobilism, a user-powered database of applications, games, movies and books for all mobile platforms.
Later in the thread, mirror links for v.1.3.7 (which doesn't exist) were posted, but identified by other users as being fraudulent. The Mobilism users seemed to be under the impression that the fake version of Walk and Text also came from Incorporate Apps, the original developers of the real application. It's not clear that's the case, as the developers requested in the same thread that these links be removed and for users to just buy the software legitimately.
Asrar speculated that the application was intentionally spread by the developers to maximize the number of people who see the anti-piracy message or that the developers were trying to undermine the true creators.
Whoever that is, that person has all the phone information of people who've downloaded the Trojan. The implication of that information falling into the wrong hands is a more than little worrying.
"Android.Walkinwat is the first mobile-phone threat discovered in the wild that attempts to discipline users that download files illegally from unauthorized sites," wrote Symantec's Asrar on the blog.
Ironically, the malware developers took steps to ensure Android.Walkinwat can't be pirated. The Trojan employs a routine built into the Licensing Verification Library on the Android platform to help prevent piracy and the developers obfuscated the code, Asrar said.
The latest and legitimate version of Walk and Text on the Android Market is currently v1.5.3.