McAfee Mobile Research monitors adult one-click-fraud applications on Google Play that are targeted at Japanese users. Although the attackers appeared to have stopped uploading these apps in May, they have now resumed the attacks. We have confirmed about 600 malicious applications have been published since the beginning of April.
We have also confirmed that another type of well-known fraudulent application–bogus adult dating services–are increasing on Google Play. These fraudulent dating-service applications have been published before on Google Play, and now we’ve seen new apps appear every day since May. We’ve counted in total more than 400 fraudulent dating applications, and more than 130 are still on Google Play. The number of total downloads lies between 90,000 and 310,000. The figure would be higher if we counted already deleted apps.
Fraudulent adult dating-service applications in Japan.
Fraudulent dating services have existed in Japan for more than 10 years. They generally operate using decoys, called sakura in Japanese. These are the service operators themselves or paid agents who pretend to want to meet the victims. The sakura have no intention of meeting, but do want to make callers pay money to keep in touch. In most cases, the victims are lured to these malicious sites via spam mails, links on web pages, and search engines. Recently new media–such as social networking services and free messaging tools–also attract victims to these services.
Today, the attackers increasingly trick their potential victims using mobile applications, especially on Google Play. In most cases, these apps simply show fraudulent websites on its WebView component or run a browser to show the sites.
Initial screens of fraudulent dating service apps displayed on WebView.
We now know that a developer of a series of one-click-fraud applications also publishes fraudulent dating-service apps. It is not clear whether the developer is actually operating the dating services but they are related, for example, by receiving affiliate revenues from the service operator.
Fraudulent dating service apps published by a one-click-fraud apps developer.
It appears that other developers are publishing bogus dating applications. The apps vary in format: displaying fraudulent websites, providing fake advertisement links to websites, providing links a set of websites including malicious sites and legitimate dating services, imitating article threads from a well-known BBS and tricking readers into believing their story and registering for the malicious services, and so on.
Fraudulent dating-service apps published by another developer.
Links to fraudulent dating-service apps embedded in a BBS article-collection app.
Fraudulent dating-service app as a collection of links.
The landing pages of these malicious sites often imitate pages on Google Play–to make users believe the services are safe and endorsed by the official app store.
Landing pages of fraudulent apps imitating Google Play pages.
These applications do not automatically collect private information from the devices or send spam mails/SMS messages; they just lead users to their fraudulent sites. On those sites, users are requested to input their email address on their devices or in some cases their mobile phone numbers.
Once users register for the service, the decoy sends mail, which always has the same message. At first, users can exchange messages with the potential “partner” for free, but the free period suddenly expires just as the decoy promises to meet; the victims have to pay to keep in touch. Sometimes the decoy says she wants to give the victim a huge amount of money and requests a minimum charge to the service to proceed; of course such offers are always baloney!
Other characteristics are that users are automatically registered in one or more dating services at the same time, probably operated by the same fraudulent group. Once registered in these services, users will receive a massive amount of spam to trick them into paying money; in the worst case two or three mails are sent every minute, up to more than 1,000 mails per day.
Users can avoid these risks by not registering for the services or not communicating with the service operator even if they accidentally register. But even with this easy defense, some victims suffer again and again. Professional fraudsters catch the unguarded with their tricky tactics.
McAfee Mobile Security detects these fraudulent dating-service apps as Android/DeaiFraud and protects customers from this common Japanese fraud. We also block web access to such malicious sites by registering their URLs in our Web Reputation Database.