Top 5 Stories


Fake Android app market infects thousands of devices with malware

22 January 2013

File under “don’t get off the boat:” A fake apps market for Android devices is serving up malware that has already stolen between 75,000 and 450,000 pieces of personal information from unwitting consumers within the first two weeks of its existence. The takeaway? Stick with official mobile apps, of course.

Researchers at Symantec discovered Android.Exprespam at the beginning of January, distributed through a fake market called Android Express’s Play. Underscoring the need for consumer education when it comes to rogue mobile apps, Symantec has now found that the store has been wildly successful. It drew well over 3,000 visits in just the period of a week, from Jan. 13 to 20. And interest shows no sign of abating.

“The scam has only been around for about two weeks so I am sure that this is just the beginning for the scammers and the amount of personal data collected will increase exponentially,” warned Symantec researcher Joji Hamada, who has been following the malware closely.

Android Express’s Play is actually the second iteration of the fake app store. The first version was called Gcogle Play. Symantec has now found that yet another domain registered by the creators of Exprespam and another version of the fake market is being prepped for launch. It appears to be under construction or on standby, “but a new malware variant is already being hosted on the site,” Hamada said.

It’s apparent that the scammers are constantly modifying their tactics, so smartphone and tablet users should be vigilant. “These updates will not end until the scammers either are caught by the authorities and punished or cease scamming people, which is unlikely to happen anytime soon,” Hamada lamented. “By now, hopefully most readers who have been following this blog series are now familiar enough with this scam to avoid downloading and installing this malware.”

Hamada said that the malware steals about 150 pieces of information per device. To arrive at a conservative estimate of 75,000, he assumed that only one in ten visitors actually downloaded and installed the malicious app for a total of 500 infections. Conversely, if it is assumed that the number of users actually downloading and installing the app after visiting the site is about 3,000, the figure reaches close to a half-million stolen pieces of information.

“These numbers are just estimates to give a better understanding of the scale of the scam,” Hamada said. “As we do not have the complete data, the actual number is more than likely greater than my estimates.”

This type of scam has been seen before: in 2011 Lookout Security discovered an Android Market lookalike portal that hosts a range of highly attractive but infected apps for the Google smartphone platform.

Android users can stay safe with the tried-and-true methods: avoiding links in emails received from unknown sources, by downloading apps only from well-known and trusted app vendors, and by installing a security app on the device.

This article is featured in:
Application Security  •  IT Forensics  •  Malware and Hardware Security  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×