Fake Android app market infects thousands of devices with malware

Researchers at Symantec discovered Android.Exprespam at the beginning of January, distributed through a fake market called Android Express’s Play. Underscoring the need for consumer education when it comes to rogue mobile apps, Symantec has now found that the store has been wildly successful. It drew well over 3,000 visits in just the period of a week, from Jan. 13 to 20. And interest shows no sign of abating.

“The scam has only been around for about two weeks so I am sure that this is just the beginning for the scammers and the amount of personal data collected will increase exponentially,” warned Symantec researcher Joji Hamada, who has been following the malware closely.

Android Express’s Play is actually the second iteration of the fake app store. The first version was called Gcogle Play. Symantec has now found that yet another domain registered by the creators of Exprespam and another version of the fake market is being prepped for launch. It appears to be under construction or on standby, “but a new malware variant is already being hosted on the site,” Hamada said.

It’s apparent that the scammers are constantly modifying their tactics, so smartphone and tablet users should be vigilant. “These updates will not end until the scammers either are caught by the authorities and punished or cease scamming people, which is unlikely to happen anytime soon,” Hamada lamented. “By now, hopefully most readers who have been following this blog series are now familiar enough with this scam to avoid downloading and installing this malware.”

Hamada said that the malware steals about 150 pieces of information per device. To arrive at a conservative estimate of 75,000, he assumed that only one in ten visitors actually downloaded and installed the malicious app for a total of 500 infections. Conversely, if it is assumed that the number of users actually downloading and installing the app after visiting the site is about 3,000, the figure reaches close to a half-million stolen pieces of information.

“These numbers are just estimates to give a better understanding of the scale of the scam,” Hamada said. “As we do not have the complete data, the actual number is more than likely greater than my estimates.”

This type of scam has been seen before: in 2011 Lookout Security discovered an Android Market lookalike portal that hosts a range of highly attractive but infected apps for the Google smartphone platform.

Android users can stay safe with the tried-and-true methods: avoiding links in emails received from unknown sources, by downloading apps only from well-known and trusted app vendors, and by installing a security app on the device.

What’s Hot on Infosecurity Magazine?