Android Trojan Found on Apps in Japan: McAfee

The malware, which is designed to steal sensitive data from Android smartphones, should serve as a warning to users about permission requests.

New malware found in 15 Android apps in the official Google Play marketplace should serve as a cautionary tale to Android device users to pay attention to the permission requests that pop up as an app is downloading, according to a researcher at antivirus software vendor McAfee.

McAfee€™s discovery of the data-stealing apps also is an indication that Google€™s new Bouncer security service, created to keep malware out of the Google Play store, may not be able to catch everything.

In an April 13 post on McAfee€™s official blog, Carlos Castillo, a malware researcher with McAfee Labs, said the Android Trojan, aimed at Android users in Japan, masqueraded as apps offering to display trailers of upcoming Android video games or anime or Japanese adult videos.

According to Castillo, when the app is downloaded and is about to be installed, two permissions are requested€”one to read the contact data on the Android device and the other to read the €œphone state and identity.€ Neither of these permissions is needed for such applications, he wrote, which should signal a warning to Android device users.

Once the permissions are granted, users see a Web page indicating the trailer is loading. However, in the background and unseen by the user, the malicious code takes sensitive information from the device, including the Android ID, which Castillo said is a 64-bit number that is randomly generated the first time the Android device is booted up and remains constant throughout the life of the device.

The €œread phone state€ permission allows the malware to grab the phone number of the device, as well as the names, phone numbers and email addresses of those people on the device€™s contact list. The information is then sent to a remote server and, if that is successful, the malware requests a specific video be sent to the same server. The video is then shown using a VideoView component, Castillo wrote.

If the information is not successfully sent to the server€”for example, the device is not connected to the Internet€”a message pops up in Japanese saying that an error occurred keeping the video from loading, he wrote.

McAfee identified 15 apps from two different developers that had been downloaded about 70,000 times, according to Google Play statistics. All the apps have been removed from the Google Play store, Castillo said. The vendor detected the Trojan as Android/DougaLeaker.A.

McAfee€™s discovery of the Japanese Android Trojan came around the same time that security software vendor Sophos said it had discovered a Trojan horse masquerading as the popular Angry Birds Space game from Rovio. In that case, the Android Trojan comes from apps downloaded from third-party, unofficial Android app stores, not the official Google Play site.

With the rising popularity of smartphones in general, the growing market share and open market for Android in particular, devices with the Google operating system are coming under increasing attack from scammers, according to a report released in February by Juniper Networks.

According to the report, while malware specifically targeted at mobile operating systems in general€”including Android, Apple€™s iOS and Research In Motion€™s BlackBerry€”grew 155 percent between 2010 and 2011, the incidence of malware in Android jumped 3,325 percent.