The arrest of several men involved in a sextortion case in Japan made headlines in April of last year. Japanese authorities discovered that 22 victims had deposited 3,500,000 yen (30,000 US dollars) into a bank account controlled by the criminals. It has been reported that the attackers controlled more accounts, so it is likely that the amount of money stolen by the group was significantly higher. While sextortion exists in many forms, this particular case involved malicious Android apps that were used to commit online extortion.
Sextortion using Android apps is prevalent in Asian countries, particularly South Korea and Japan, and appears to have surfaced sometime around 2013. Multiple criminal groups may be using this tactic to extort money from their victims.
How Android sextortion works
Sextortion begins when the criminal group looks for targets on various social networks and then sends them messages. These messages are likely to look like they are from an attractive person of the opposite gender. Once the attackers find someone to take the bait, they approach the potential victim in an attempt to exchange sexually explicit videos with each other.
If the victim provides the sexual content, the group will attempt to persuade the victim to install and use an app to continue to the cybersex session. If the app, commonly hosted on random web servers, is installed and launched, it does not appear to do anything. However, in the background, the app uploads personal information stored on the Android device including the victim’s phone number and account details. The app also steals all contact data stored on the phone.
At this point, the attackers can move to the last stage. They will threaten to spread sexually explicit videos of the victim to the victim’s contacts if they do not pay the attackers. Victims may find it difficult to seek help because of the nature of this attack and end up sending hundreds, if not thousands, of dollars to the attackers.
Protect yourself against sextortion apps
The particular sextortion operation mentioned earlier in this blog has been in existence since at least 2013. The crime has seen continued success and in December 2014, the attackers behind it appeared to ramp up their malware distribution. We have confirmed several dozen variants in recent months; however, it still appears to function in the same way.
In most cases, the malware uses the same icon or app name. The code that makes up the app is basically the same in all instances. However, the URL used to post the stolen personal information is modified for each version of the app. Symantec has recently observed the following applications used in variants of this attack. English translations of the name of the apps include My Gallery, My Blog, Photobook, Online Chat, and Text-to-speech.
Figure 1. Icons and names of recent of sextortion apps
When installing apps, it is important to always confirm that the permissions requested by the app make sense. In the following figure, users should question why the app needs to “read your contacts” and “find accounts on the device”. If users do not feel comfortable with the permissions requested by the app, they should not install it.
Figure 2. Permissions requested by the malicious app
Symantec recommends the use of a security app, such as Norton Mobile Security, on smartphones. It’s also best to take extra precautionary measures if you are going to be sharing personal content, especially if it is sexually explicit, with someone you have never met face to face.
Symantec detects the apps discussed in this blog as: