Exprespam Malware Served on “Android Express” Website

Cybercriminals are masquerading their creations as apparently useful apps

Around one week ago, experts from security firm Symantec revealed that they had come across a piece of mobile malware called Android.Exprespam, designed to collect personal data from the devices it infected. Now, the cybercriminals behind this malicious element have made some modifications to their campaign.

Initially, Android.Exprespam was served to Japanese users from a website called “Gcogle Play” (it’s not a typo). Now, after a number of media outlets have picked up the story about the fake application market, the crooks have launched a new site called Android Express’s Play.

Unsuspecting users were lured to the old site with the aid of spam emails advertising all sorts of interesting Android apps such as “SAFE BATTERY,” “CHECK,” “Miracle face,” or “100% wakes up.”

Now, the cybercriminals have come up with new names for their bogus applications, including “Battery Keeper,” “Check Your Phone!!,” “Mail Block,” “Total God,” or “Cook Master.”

Once one of these apps is installed and executed, information such as the phone’s number, and names and email addresses from the address book are uploaded to a remote server.

“This group of scammers does not seem to want to go away any time soon, so we may have to continue to play this cat-and-mouse game with them for a while,” Symantec experts explained.

Currently, there are two other pieces of Android malware that target Japanese users: Android.Enesoluty and Android.Ecobatry.

While Japanese authorities are doing a fairly decent job when it comes to identifying Android malware developers, not the same thing can be said when it comes down to prosecuting them.

At the end of December 2012, a case against 5 suspected malware developers was dismissed because the prosecution could not prove that the individuals knew that their creation was wrongly acquiring information from the phones it was installed on.

Furthermore, the defense argued that victims were informed of the fact that their address books would be accessed when they installed the app.

Hot right now  ·  Latest news