Unsurprisingly popular, the “Infrared X-ray” app is, of course, actually a mobile trojan. “Not surprisingly, the app does not work as per advertised and a picture of a man holding up his middle finger stating that the victim is a pervert is displayed,” explained Symantec researcher Joji Hamada, who analyzed the bug.
Unlike most malware of this type, rather than being sent from its authors, it instead accesses users’ contacts list to send out phishing mails.
“This allows the recipients of the spam to be tricked easier because the invitation to download the app is coming from someone they know rather than from an unknown sender,” Hamada said. “If a friend is recommending an app, why would you not at least try it out, right?”
Once the app is executed, details stored in the device’s contacts are uploaded to a predetermined server. From there, there are several variants of the app, Hamada uncovered.
“The latest variants have added an interesting payload: rather than sending SMS messages to the victim’s friends and family, the ultimate goal is to scam the victim with something similar to what is called one-click fraud in Japan,” Hamada said. “While the contact data is being stolen and sent to the malware author, the new variants also download and display registration details for a website hosting adult content.”
In some cases, it offers a splash screen for a second or two before displaying a message stating that registration has completed, and the victim is asked pay ¥29,000 for the “service.”
The app also sends SMS messages detailing the payment. The malware author also threatens to contact people found in the victim’s contacts list if they don't pay for the service.
“The app continuously displays the registration details and sends SMS messages to the victim’s contacts until the app is uninstalled,” Hamada said. “In order to make it difficult for the victim to uninstall the app, it removes itself from the launcher after it is initially executed, although it can be removed in applications under settings.”
Also, new variants of the app no longer attempt to turn the camera on like it did previously.
To stay protected, users should as always refrain from clicking links found in messages such as emails and SMS messages from unknown senders, as well as suspicious messages from known senders. Furthermore, they should only download apps from trustworthy vendors.