Topic: Japanese Chat App for Android Steals Phone Numbers

[Pez]

Japanese Chat App for Android Steals Phone Numbers

There have been many reports today of Android malware that steals users’ sensitive information and threatens the privacy of smartphone users. McAfee has recently found suspicious chat applications for Japanese users on Google Play. These apps are capable of retrieving a user’s phone number and secretly sending it to the developer’s web server. This information-leaking code is implemented using JavaScript.


Figure 1: Two suspicious chat applications found on Google Play Japan.

("click the images to make them larger")


Figure 2: The app’s description page emphasizes “Registration Not Required.”

Despite the developer’s claim that registration is “not required” on Google Play’s description page, the phone number of the device is sent to a remote web server managed by the developer once the user tries to connect to the chat service, and with no notice. The retrieved phone number is actually encrypted before sending, but it is apparent that the developer can decrypt the data later on the server.

We do not know whether the developer will use these phone numbers for malicious purposes, but gathering such sensitive information without a user’s knowledge is a big problem. We can also assume the developer is deceiving or at least misleading users. Finally, the chat service does not appear to work, at least in our research. Fortunately, we count fewer than several hundred downloads of these two applications.


Figure 3: When users tap the button on this chat screen, their phone numbers are secretly sent to the developer.

Unlike most Android malware, this suspicious code is implemented in HTML/JavaScript, hosted on the server, that interfaces with a custom JavaScript interface using WebView to call Android APIs. In the Java code, the application defines a custom JavaScript method getNo(), which calls the TelephonyManager.getLine1Number() method of the Android API and returns the encrypted phone number. The app then exports the method in the “android” object to be used from the JavaScript code. The code in the HTML hosted on the server calls the android.getNo() method to get the data and send it to the same server via XMLHttpRequest (or HTTP POST via form, as used in another variant) when the user takes a certain action on the page such as tapping a button.


Figure 4: Java code for the custom JavaScript object to access the device’s phone number.


Figure 5: This JavaScript code accesses the phone number using the custom object and sends it to server.

The JavaScript code is implemented so that it can work even outside the Android application, for example, when the chat site is visited via web browsers. In this case, an unimportant string generated from the current date is used instead of the phone number, which means the service can work even without using phone numbers. From this, we can also see the developer’s malicious intent of trying to steal private information whenever it is accessed from the Android app.

There are some well-known HTML/JavaScript-based development frameworks, such as Apache Cordova (a.k.a. PhoneGap), which allow developers to write application logic in HTML/JavaScript and also access Android APIs internally using the same mechanism described above. In most of these cases, the HTML/JavaScript code is packaged in the application package file (APK), together with the development framework library, where it is easy to analyze potentially risky or malicious code.

On the other hand, this suspicious application’s code is hosted on the server, not in the APK, making static analysis more difficult than usual, especially due to the dynamic nature of its server HTML/JavaScript code. What is worse, the custom JavaScript object can be abused by other malicious sites as well to steal sensitive information once the users navigate using WebView from the original application to such sites.

With HTML/JavaScript gaining popularity as an application development language especially for mobile devices, along with their being expected as the main application vehicle in new Web-oriented mobile platforms like Tizen and Firefox, we predict an increase in this type of mobile threat in near future.

McAfee Mobile Security detects these suspicious applications as Android/ChatLeaker.A.


Original article: By Daisuke Nakajima on Nov 21, 2013

[Pez]

JavaScript Apps on Google Play Steal Korean Phone Numbers

In a recent blog (see a above:), McAfee Labs reported on suspicious JavaScript-based Android chat applications for Japanese users. These apps were found on Google Play, and steal users’ phone numbers. We have now found about 120 applications that use similar, but not the same, JavaScript techniques to steal a device’s phone number. These apps seem to mainly target Korean users. These apps use a JavaScript-based hybrid mobile application development framework, Appspresso.

Figure 1: Examples of suspicious apps on Google Play that target Korean users.

("click the images to make them larger")

These apps appear to have been uploaded to Google Play since early November. The total number of downloads ranges from 170,000 to 640,000 so far, according to Google Play statistics. Because the user interface of these apps supports only Korean, we guess the main target of these applications is Korean users. However, we can also find these apps on Google Play Japan by searching for words related to pornography. Most of them, though not all, are related to adult content.

Figure 2: One of the suspicious apps offers (non-adult) wallpaper.

When launched, these apps automatically retrieve the device’s phone number and send it to a server managed by the developer, without any prior notice to the user. Because the use of the phone number does not seem related to the app’s functionality, we can safely say they are designed to secretly collect users’ phone numbers.

Figure 3: Several screens from one of the phone number-stealing Korean-language apps.

Appspresso, a JavaScript-based, cross-platform hybrid mobile application development framework, is used in all of these applications. This framework enables developers to write application logic in HTML and JavaScript while using functionalities of the underlying platform, Android in this case, via JavaScript APIs. That is, the framework bridges between Java and JavaScript. This framework also allows developers to add custom plug-ins implementing additional JavaScript APIs.

These apps implement the custom plug-in for retrieving a device’s phone number, using the TelephonyManager.getLine1Number() API, and enabling their JavaScript code to use the “phone” interface to get the phone number. Then the JavaScript code sends the information to the developer’s server, specifying it as a query parameter in the URL loaded into the custom WebView at application launch.

Figure 4: Java code for defining the plug-in’s phone() method used from JavaScript.

The Java code preprocesses the retrieved phone number only if the number starts with “+82,” the country code of South Korea.

Figure 5: JavaScript code to get a phone number and send it to another server.

McAfee Mobile Security detects these applications as Android/AxLeaker.A.


Original article: By Daisuke Nakajima on Nov 24, 2013

[Pez]

More Japanese Chat Apps on Google Play Steal Phone Numbers

In two recent blogs, McAfee Labs described Japanese and Korean Android apps on Google Play that steal a mobile device’s phone number. We have now found two more Japanese chat apps that show similar behavior. These two apps have been downloaded between 10,000 and 50,000 times each. The developers of these apps have manipulated the ratings of their apps on Google Play in a prohibited, unfair way and also operate several suspicious sites offering adult-dating services.




Figure 1: Two Japanese chat apps steal a device’s phone number.

("click the images to make them larger")

The apps, Chatline and Connect Line, give users the impression that the apps are related to Line, a popular messaging app in Japan, though they actually have no relationship at all.

The apps retrieve a device’s phone number, International Mobile Equipment Identity (IMEI), and Subscriber Identity Module (SIM) serial numbers, and send them to a remote web server. This occurs when users launch the apps and before they create user profiles for the chat service. Moreover, if a user creates a profile for the service, information such as nickname, gender, city of residence, birthday, and self-introduction provided on the application screen are sent with the other numbers. A user is not required to input real information, if a user adds more detailed personal or attribute data–such as hobby and preferences while chatting–this information might be stored on the developer’s site, associated with the phone number. This can be a big privacy risk.



Figure 2: The application screens of the two suspicious chat apps.




Figure 3: An example of sensitive data sent from the apps to the developer’s web server.

The apps request READ_PHONE_STATE and other permissions at installation, but do not tell users that they will retrieve the device’s phone number and other information and send that to the developer’s server. There’s no hint in the description of the apps, their screens, the terms and conditions, or the privacy policies. These apps know how to keep a secret.

On Google Play these apps are getting very high scores in user reviews, but these unnaturally high scores seem to come from cheating. In these apps, users need to pay a service fee to chat. Users receive a small amount of free credit to start using the service, and this credit is soon exhausted. Then users are prompted to buy new credits via Google Wallet to continue chatting. At this point, the service makes attractive offer to give more free credits if users will give a high review score (4 or 5) to the app on Google Play. App-ratings manipulation by offering incentives to users is strictly prohibited by Google Play Developer Program Policies. It is clear that the apps violate this policy, which tells us the developers are already breaking the rules.




Figure 4: Chatline offers incentives to users for manipulating its ratings on Google Play.


The implementation code of these two apps is almost the same, which implies they were built and published by the same developer or by related parties. Our investigation into the developers–based on the company information found on the apps–reveals they operate several suspicious adult-dating sites. We have not confirmed that the collected phone numbers and other information are being used for fraudulent or other malicious purposes. But users of these apps should be aware that their private information is being sent to such companies in the adult-dating business.



Figure 5: Adult-dating services operated by the developers of these apps.


Users of Android devices should always be careful about potential information leaks caused by apps. They should check permission requests by an app at its installation, the application’s description page on Google Play, the privacy policy, and terms and conditions. If such an information leak is possible, users should always check if the developer of an app is really trustworthy. We strongly recommend against installing very new chat/communication/SNS-related apps published by unknown developers.

McAfee Mobile Security detects these apps as Android/ChatLeaker.B.


Original article: By Daisuke Nakajima on Nov 27, 2013

[Guillermo Morgan]

I highly recommend this app. Thank you for providing this great information for me and my readers to know. clash royale chino apk última versión