“Symantec has acquired some data that has allowed us to get an idea of how successful Exprespam may be in scamming Android users into providing personal data,” according to a blog post by Joji Hamada at Symantec’s Security Blog. “The data obtained, which is only a portion of the complete data, indicates that the fake market called Android Express’s Play has drawn well over 3,000 visits in a period of a week from January 13 to January 20. Based on several sources, I calculated that the scammers may have stolen between 75,000 and 450,000 pieces of personal information.”
Hamada later adds that this number is likely to be very conservative.
The exploit was first discovered last fall in Japan, when a group of hackers were arrested for allegedly creating and using the malware to obtain private information from Android users. Prosecutors subsequently released the group in December, fearing they did not have enough information to get a conviction.
Since then, the malware has expanded and new websites have been created to scam user data, according to an earlier post by Hamada. Now the exploit has the potential for exponential growth, as shown in Hamada’s chart, above.
“Symantec has identified new malware, which we detect as Android.Exprespam that collects personal data, such as the device owner’s phone number as well as names and email addresses, stored in Contacts on the compromised device,” wrote Hamada in early January. “Like previously discovered malware, such as Android.Enesoluty, which, by the way, is still active, emails are spammed with links to fake Google Play pages, which are hosted on a server located in Washington State in the United States. It is worth noting that the site actually calls itself Gcogle Play. The domain for the website was registered on December 27 and the malicious APK file contains a signature valid from January 2.”
Hamada says Symantec has confirmed nine different app pages on this site, including SafeBattery, SpeedMax, CHECK and others, although the downloaded app is the same in each case. A couple of the fake app pages resemble the type of fake tools used by older malware, but most are new types of fake tools. The scammers have made available a variety of apps in the hope that it increases the chances of the apps being installed. This is a distinct ramping up of activities as older malware masqueraded at most as three apps on a site simultaneously.
Hamada says the scammers are constantly modifying their tactics so that the scam provides a good “return” for them.
“These updates will not end until the scammers either are caught by the authorities and punished or cease scamming people, which is unlikely to happen anytime soon,” he adds.
Android users can stay safe by avoiding links in emails you receive from unknown sources, by downloading apps from well-known and trusted app vendors, and by installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on the device, said Hamada.