In two recent blogs, McAfee Labs described Japanese and Korean Android apps on Google Play that steal a mobile device’s phone number. We have now found two more Japanese chat apps that show similar behavior. These two apps have been downloaded between 10,000 and 50,000 times each. The developers of these apps have manipulated the ratings of their apps on Google Play in a prohibited, unfair way and also operate several suspicious sites offering adult-dating services.
Figure 1: Two Japanese chat apps steal a device’s phone number.
The apps, Chatline and Connect Line, give users the impression that the apps are related to Line, a popular messaging app in Japan, though they actually have no relationship at all.
The apps retrieve a device’s phone number, International Mobile Equipment Identity (IMEI), and Subscriber Identity Module (SIM) serial numbers, and send them to a remote web server. This occurs when users launch the apps and before they create user profiles for the chat service. Moreover, if a user creates a profile for the service, information such as nickname, gender, city of residence, birthday, and self-introduction provided on the application screen are sent with the other numbers. A user is not required to input real information, if a user adds more detailed personal or attribute data–such as hobby and preferences while chatting–this information might be stored on the developer’s site, associated with the phone number. This can be a big privacy risk.
Figure 2: The application screens of the two suspicious chat apps.
Figure 3: An example of sensitive data sent from the apps to the developer’s web server.
The apps request READ_PHONE_STATE and other permissions at installation, but do not tell users that they will retrieve the device’s phone number and other information and send that to the developer’s server. There’s no hint in the description of the apps, their screens, the terms and conditions, or the privacy policies. These apps know how to keep a secret.
On Google Play these apps are getting very high scores in user reviews, but these unnaturally high scores seem to come from cheating. In these apps, users need to pay a service fee to chat. Users receive a small amount of free credit to start using the service, and this credit is soon exhausted. Then users are prompted to buy new credits via Google Wallet to continue chatting. At this point, the service makes attractive offer to give more free credits if users will give a high review score (4 or 5) to the app on Google Play. App-ratings manipulation by offering incentives to users is strictly prohibited by Google Play Developer Program Policies. It is clear that the apps violate this policy, which tells us the developers are already breaking the rules.
Figure 4: Chatline offers incentives to users for manipulating its ratings on Google Play.
The implementation code of these two apps is almost the same, which implies they were built and published by the same developer or by related parties. Our investigation into the developers–based on the company information found on the apps–reveals they operate several suspicious adult-dating sites. We have not confirmed that the collected phone numbers and other information are being used for fraudulent or other malicious purposes. But users of these apps should be aware that their private information is being sent to such companies in the adult-dating business.
Figure 5: Adult-dating services operated by the developers of these apps.
McAfee Mobile Security detects these apps as Android/ChatLeaker.B.