Figure 1: Examples of suspicious apps on Google Play that target Korean users.
These apps appear to have been uploaded to Google Play since early November. The total number of downloads ranges from 170,000 to 640,000 so far, according to Google Play statistics. Because the user interface of these apps supports only Korean, we guess the main target of these applications is Korean users. However, we can also find these apps on Google Play Japan by searching for words related to pornography. Most of them, though not all, are related to adult content.
Figure 2: One of the suspicious apps offers (non-adult) wallpaper.
When launched, these apps automatically retrieve the device’s phone number and send it to a server managed by the developer, without any prior notice to the user. Because the use of the phone number does not seem related to the app’s functionality, we can safely say they are designed to secretly collect users’ phone numbers.
Figure 3: Several screens from one of the phone number-stealing Korean-language apps.
The Java code preprocesses the retrieved phone number only if the number starts with “+82,” the country code of South Korea.
McAfee Mobile Security detects these applications as Android/AxLeaker.A.