The Latest in IT Security

Spam Trick Users to Download ANDROIDOS_CONTACTS.E

13
Sep
2012

We were alerted in July 2012 about malicious apps that we detect as ANDROIDOS_CONTACTS.E. We investigated the related spam, which arrives on the mobile device. What is noteworthy about this threat is that the spam were distributed not only to smartphones, but also to feature phones as well.

This indicates that the spammers may have carried out indiscriminate attacks targeting the email addresses provided by telecommunication carriers.

In Japan, this carrier email address is popular among mobile users since this email address can be accessed on both mobile devices and systems. Also, each telecommunications carrier provides a service that blocks spam mails. This feature may have resulted to users being complacent when it comes to the security of their carrier email addresses.

Spammers understand users’ tendency to be too trusting, thus they distributed these spam to carrier email addresses to increase their attack’s success.

So far, we can categorize the URLs in these spam into three types:

  • URLs that directly lead to download an APK package of Android app
  • URLs that lead to a malicious web page disguised as a legitimate app market store
  • Shortened URLs

Let’s focus on the 3rd type of URL. When users click the shortened URL, they are lead to a webpage set up by the spammer or their partners. In this scenario, it is possible that it may either lead to the downloading an APK package or to a web page disguised as a legitimate app store.

Why do spammers leverage this shortened URL service? Users find it difficult to double check the complete URL based on the shortened URL, thus the higher rate of users inadvertently clicking a malicious link. Furthermore, some shortened URL services can count user clicks in real-time. So if a particular link had less clicks, spammers can use a different shortened link which had more clicks in their future spam run.

Now, let’s focus on those URLs that lead users to a spoofed app store. We found the app “Power Charge”, also detected as ANDROIDOS_CONTACTS.E, which is supposedly an app that charges by using solar light.

According to the app’s description page, the reason why this is not available on Google Play is that it is on its limited launch. Also, it encourages users to activate installation of other apps.

In the evaluation section of the web page, we saw some good feedback, though it does not have a section where users can rate the app. The feedback may be spoofed and is used to trick users to bolster the apps credibility.

Here is a list of apps we detect as ANDROIDOS_CONTACTS.E that users may encounter via spam mails.

Trend Micro protects users from this threat via Trend Micro Mobile Security for Android, which detects ANDROIDOS_CONTACTS.E.

In our follow up blog entry, we’ll take a look at a particular app detected as ANDROIDOS_CONTACTS.E, specifically its information theft routine.

Related posts:
  1. Digging Deeper Into ANDROIDOS_CONTACTS.E’s Data Stealing Routines
  2. Spam with .gov URLs
  3. Increased usage of unregistered spam domains
  4. Tricky New Facebook Spam Technique
  5. Sun Charger, the Latest Android.Sumzand Variant, Continues the Massive Spam Campaign

Tags:  
Written by TrendLabs
0 Comments

Leave a reply


Categories

SUNDAY, FEBRUARY 23, 2025
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments