Contributor: Tommy Dong
Last time we blogged about malware on Google Play that stole photos from Viber. Since then we’ve discovered another app on Google Play that is moving personal media files (photos and videos) off victims’ mobile devices and onto a remote server.
All your videos are belong to us
In the course of enhancing our Mobile Insight cloud-based features to identify apps that leak personally identifiable information (PII), we came across an app on Google Play that was clearly malicious. This app, ‘HTML Source Code Viewer’ by Sunuba Gaming, poses as a development tool, but actually posts files stored on the device in “/DCIM/Camera” and “/DCIM/100LGDSC/” (standard photo and video storage locations) to a web server hosted on proqnoz.info. A look on this server revealed a wealth of personal media files dating as far back as March, 2015. This personal media could be used for blackmailing, ransomware attacks, identity theft, pornography, and other forms of victimization.
Figure 1. Media files found on web server
Whois data for this server indicates that it's hosted in Azerbaijan. The app had 1,000-5,000 downloads from Google Play when we discovered it, targets all versions of Android after and including Gingerbread, and uses the following permissions:
- android.permission.INTERNET (allows app to open network connections)
- android.permission.ACCESS_NETWORK_STATE (allows the app to access information about networks)
- android.permission.READ_EXTERNAL_STORAGE (allows the app to read from external storage)
- android.permission.WRITE_EXTERNAL_STORAGE (allows the app to write to external storage)
Media-leaking apps are out there
This is the second case of media-stealing malware we’ve profiled appearing on Google Play. Symantec Mobile Insight’s new media leak detection capability is identifying a large and growing number of applications that are moving media off of Android devices. Norton Mobile Security protects customers from media-stealing malware. Android users will also benefit from AppAdvisor, which flags malware and Greyware/potentially unwanted apps (PUAs) while they’re browsing on Google Play, even before they’ve downloaded and installed the app!
Figure 2. AppAdvisor warns users about malicious apps before they are downloaded
Google was notified of the malware, published as HTML Source Code Viewer by Sunuba Gaming, and it has since been removed from Google Play.
Symantec recommends users follow these best practices to stay protected from mobile threats:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
- Pay close attention to the permissions that apps request
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data
Symantec and Norton products detect the threat discussed in this blog as: