Recently, I wrote a blog describing the current status of Android malware thriving in Japan and much of the focus was on one particular family: Android.Enesoluty. I don’t know whether the authors of Android.Enesoluty read the blog or came across a news article discussing the content of it, but a few days later the app sites distributing the malware contained a user agreement. This was most likely done in an attempt to make the apps legal and ultimately avoid an arrest and prosecution as the Japanese authorities increase their pursuit of Android malware creators.
Until recently, the app pages hosting Android.Enesoluty only contained false descriptions of the apps, fake download counts, fake reviews, and links that download the apps. They did not have anything with regard to a user agreement. Currently, the pages all contain a link to a user agreement along with the same false information.
Figure 1. Download page before the blog posting
Figure 2. Download page after the blog posting
As you can see, the link is placed at the bottom of the page meaning that the user would have to scroll all the way to the bottom to actually notice that the link exists. The average user would never spot it since the download button is at the very top. A similar tactic was used by another Japanese Android malware called Android.Oneclickfraud which scammed users into registering for a paid video service.
If you open the user agreement page, you will notice that the page outlines the permissions required by the app in detail. However, the permissions stated in the agreement do not match the permissions actually required by any of the malicious apps. The main purpose of the scammers for adding the agreement is to state that the apps may upload personal data externally to legitimatize the apps, but does so in a very sneaky fashion.
Figure 3. Permissions listed in the user agreement
Figure 4. Permissions requested during installation
A legitimate app or not?
So does adding a user agreement make it legal for the app to collect personal data stored on the device’s contacts? I am not in a position to make any legal decisions; however, I can say that Symantec still considers these apps malicious for the following reasons:
- The sole purpose of the apps is to upload contact details, but this is not indicated to the user
- The apps do not work as advertised. They are fake and this fact is not communicated by the developer.
- The app pages themselves contain only false information.
- The link to the user agreement is hidden at the bottom of the page where it would go unnoticed.
- The apps are hosted on fake Google Play pages. The pages are designed to appear like the actual Google Play page, but they are hosted on dedicated servers.
When considering these reasons, there is no doubt in our mind that these apps should be detected as malware.
As far as the law goes, hopefully one day there will be enough evidence to arrest and prosecute the group running Android.Enesoluty. But until we actually see someone being punished for developing these sorts of malicious apps, we will most likely see these types of scams continue. Although the law may not be able to stop these apps from being distributed today, you can be sure that Symantec products will block them. Symantec recommends that you download your apps from well-known and trusted app vendors, and installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your phone.