Android malware against software piracy

The success of the Android platform is obvious from the number of applications, now over 300000, now available from the Android Market. On average, over 1000 new applications are added every day. There is no doubt that the recent release of Amazon Appstore for Android will make the platform even more popular.

With the high number of applications being published comes the pressure of the competition, especially for the smaller companies producing paid for products that make for majority of their revenue.

Number of Android apps
Image courtesy of

One of the consequences of the ability to install Android packages outside of the Google Android market is quite a buoyant community of software crackers that make cracked versions of the paid for applications available on various Android related forums and file sharing websites.

The recommended way of protecting Android apps from crackers is to obfuscate the licensing functionality and make it difficult for reverse engineering. The experience from the Windows world is that crackers are usually able to remove the protection scheme and publish a cracked copy of the application quite quickly.

Yesterday, we discovered a new malicious Android application which purports to be a non-existent version 1.3.7 of the application Walk and Text created by Incorporateapps. The application has been distributed on several forums and file sharing sites.

The developers of the application have attempted to impersonate Incorporate apps but the digital signature does not respond to the original as seen during the verification of the code signature.

sm 13188 Wed Feb 02 21:23:24 CET 2011 classes.dex

X.509, CN=F*****s Fake, OU=Fakers, O=Fakers, L=Fake, ST=Fake

When the Trojan is installed, it displays the view that appears as if the legitimate Walk and Text application is being cracked.

Wandt-A initial screen

However, the users of this “cracked” version will be very surprised when they find out that the application does not contain any functionality related to the original. Instead, it enumerates the contacts on the device and sends an SMS to all the contacts, which incurs cost to the sender.

Sms message sent by Troj/Wandt-A

Before that, the Trojan collects some personally identifiable information such as phone number and IMEI and attempts to upload the information using an HTTP request to a URL that points to the site owned by Incorporateapps. However, it seems like Incorporateapps is not related to this attack as it can be seen from this message on the page used by the Trojan to upload the information.

Text from Incorporateapps

Finally, the Trojan displays a view which recommends the user to install the legitimate version of the application and forwards the user to its Android Market page.

Final Troj/Wandt-A view

The question at the end is who stands behind this piece of malware? One possibility is that it was a fan of Incorporateapps applications who attempted to protect the company from piracy. Another possibility is that it was somebody who wanted to damage the company’s reputation so that it appears that they stand behind the attack. The jury on that one is still out there.

Sophos products detect the Trojan as Troj/Wandt-A.