How Android Malware Lurks in Adult Apps

Zscaler finds two instances in which mobile malware authors are luring victims with lurid Android apps.

Android malware

Android mobile malware is able to infiltrate user devices in many ways and, according to security firm Zscaler, adult apps are one such path to infection. Zscaler has identified a pair of adult-themed apps that are infecting users with malware; neither app, however, is hosted on the official Google Play Android app store.

"We regularly scan Google Play store and non-official app stores," Deepen Desai, Zscaler's head of security research, told eWEEK. "However, we have not found any aggressive [sexually explicit] apps on Google Play store yet."

In one case, a Chinese SMS Trojan is hidden inside of a Chinese language adult app. Once a user installs the app, random adult sites are shown to the user in the foreground, while in the background, the app sends the user's information via SMS to the attackers. The malware is able to get access to the user's information, due in part to the fact that the app is granted permission by the user when installed.

"It is always highly recommended for mobile users to understand the permissions," Desai said.

That being the case, Desai added that the vetting process for app permissions in app stores is often not very strict, and users will often encounter legitimate apps asking for a large set of permissions not relevant to the original functionality of the app.

"This usually means that lot of mobile users ignore the permissions page while installing the apps," Desai said.

The other adult app containing malware that Zscaler discovered attempts to scare victims with a fake security notice. After a user installs the app, the user's screen shows a fake warning from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) claiming the device was found to be visiting sites containing forbidden sexually explicit content. The malware will steal the user's information, including email inbox messages, and send them to a remote command and control (C&C) server. Zscaler calls this an SMS Infostealer attack.

"The command and control server for the SMS Trojan app is located in Hong Kong, whereas the command and control server for SMS Infostealer app is located in United States," Desai said.

Of particular note for both SMS Trojan and Infostealer is that common mobile antivirus technologies were largely unable to actually detect either form of malware. Zscaler ran the SMS Trojan through the VirusTotal database of antivirus scanning engines, and only six out of 53 engines were able to detect the threat. For SMS Infostealer, the numbers are a little bit better, with 12 out of 53 antivirus engines finding the malware.

Since neither of the adult apps in question was found in the Google Play store, Zscaler did not reach out to Google before publicly disclosing the risk today. That said, Zscaler will now be contacting Google with a full analysis, according to Desai.

Even for apps that are not hosted on the Google Play store, Google provides an additional layer of protection that can help protect Android users. The Google Verify Apps technology is able to scan a user's device and find security threats.

"This feature [Verify Apps] was not able to flag the malicious app or stop the installation," Desai said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.