Hong Kong Google Play Store's Apps Security Risk Report (September 2013)
Hong Kong Computer Emergency Response Team (HKCERT) Coordination Centre cooperates with the National Institute of Network and Information Security (NINIS) for detecting malicious and suspicious behaviors of Apps from the Google Play Store, in order to study the security risk of apps in the Google Play Store in Hong Kong area. NINIS provides us analyzed result, and we collate the detection result and publish security alerts to the public.
In the report of September, we have downloaded 182 apps from Play Store, where 13 apps have been identified as high risk. 5 of them were removed from Play Store (on or before 27-September). The detail of report is shown as follow.
Target scope:
- Top 50 Free Applications in Hong Kong area
- Top 50 New Free Applications in Hong Kong area
- Top 50 Free Games in Hong Kong area
- Top 50 New Free Games in Hong Kong area
Scanned Apps
- Successful downloaded and scanned: 182 apps
- Unable to download via the system: 18 apps
- Downloaded date: 5-September 2013
- List of the downloaded apps: "Appendix 1" [download]
Analysis Overview
In this analysis, 182 apps were scanned for bad behaviors. Based on the level of security threat, the apps were divided into 2 categories: apps with malicious and apps with suspicious behaviors. Malicious behavior refers to apps behavior pose malicious level of security risk, which can be identified explicitly, that causes security threat to users. Suspicious behavior refers to apps behavior pose certain level of security risk, but no malicious behavior can be explicitly identified.
1. Scanning Result
Among the 182 scanned apps, 13 apps were identified as security high risk. These 13 Apps were identified with 11 high risk behavior signatures, Android.Adware.Plankton.A, Android.Adware.Adwo.A, Android.Counterclank.A, Android.Adware.AirPush.G, Android.Trojan.Generic, Android.AdWare.Apperhand, Android.Adware.Plankton.l, Android.Trojan.GingerMaster, Android.AdWare.Ganlet, Android.AdWare.Leadbolt and Android.SMSSend.
List of security high risk apps
Application | High risk behavior signature / Ad plug-in | Malware detection ratio by VirusTotal | Status # |
1. Turbo Racing v1.1 Category: New Free Game | Android.AdWare.Leadbolt Android.Trojan.Generic Android.AdWare.Ganlet | 17/48 [link] | Removed from play store |
2. Journey Wars _ Super Fighting v1 Category: New Free Game | Android.AdWare.Leadbolt Android.AdWare.Ganlet Android.Trojan.Generic | 12/47 [link] | Available on play store |
3. Bubble Combos v1.0.5 Category: Top Free Game | Android.AdWare.Leadbolt Android.Trojan.Generic Android.AdWare.Ganlet | 14/47 [link] | Available on play store |
4. 瘋狂猜成語 v1.38 Category: Top Free Game | Android.Adware.Adwo.A Android.Trojan.Generic Android.SMSSend | 17/44 [link] | Available on play store |
5. 性愛姿勢動畫教學做爱經驗分享 v1.4 Category: Top Free Application | Android.Adware.Adwo.A Android.Trojan.Generic Android.Counterclank.A Android.AdWare.Apperhand | 17/45 [link] | Available on play store |
6. 約炮神器:性愛360技 v2.3 Category: Top Free Application | Android.AdWare.Apperhand Android.Trojan.Generic Android.Adware.Plankton.A Android.Counterclank.A | 18/45 [link] | Available on play store |
7. Simple Mp3 Downloader v1 Category: Top Free Application | Android.AdWare.Apperhand Android.Trojan.Generic Android.Adware.Plankton.A Android.Counterclank.A | 17/46 [link] | Removed from play store |
8. Snapshot Text Editor v1 Category: Top Free Application | Android.AdWare.Leadbolt Android.Trojan.Generic | 15/47 [link] | Available on play store |
9. Digital Clock Live Wallpaper v1.6 Category: Top Free Application | Android.AdWare.Apperhand Android.Adware.Plankton.l Android.Trojan.Generic | 22/48 [link] | Removed from play store |
10. 情人性愛姿勢300+ (動畫教學) v1.1 Category: Top Free Application | Android.Adware.Plankton.l Android.Counterclank.A Android.Adware.Adwo.A | 22/26 [link] | Available on play store |
11. Happy Couple v0.1.5 Category: Top Free Application | Android.Trojan.Generic Android.Trojan.GingerMaster Android.Adware.Adwo.A | 18/47 [link] | Removed from play store |
12. WhatsApp Messenger themes v1.2 Category: Top Free Application | Android.Adware.Plankton.A Android.AdWare.Leadbolt Android.AdWare.AirPush | 21/47 [link] | Removed from play store |
13. Hidden Porn Browser v1 Category: Top Free Application | Android.Adware.Plankton.A Android.AdWare.Apperhand Android.Trojan.Generic Android.AdWare.AirPush | 21/48 [link] | Available on play store |
High risk behavior signature and Ad plug-in | High risk behavior |
Android.Adware.Plankton.A | It is an Ad plug-in bundled with App, which can steal user's private information, such as phone number and email address, and send to cooperative companies. This behavior is called "aggressive advertisement", which forces displaying ads on the main screen. |
Android.Adware.Adwo.A | It is an Ad plug-in bundled with App, which can steal user's private information, such as phone number and email address, and send to cooperative companies. |
Android.Counterclank.A | It advertises application on pop-up ads and commercial ads, which can be downloaded and installed without getting user's permission. It can steal user's private information. |
Android.Adware.AirPush.G | This is an advertisement framework. It can aggressively push ad to device's notification bar. It can modify browser's bookmark, and remove icon on the main screen. The ads will ask for money. Some ads showed in the notification bar will lure user to subscribe and pay for SMS service. Three common luring ads are 1) fake shop, 2) fake free call service, 3) system notification impersonation |
Android.Trojan.Generic | This is a malicious backdoor Trojan, which runs in the background. It allows remote access to the infected system. It will collect and steal sensitive information, such as Internet activities, account/password setting, geo-location, operator name, system version, device model, IMEI, etc. |
Android.AdWare.Apperhand | This high risk app can execute specified command and steal information. It can obtains user's private information. This app contains specified vulnerabilities, which can be exploited to compromise the system. |
Android.Adware.Plankton.l | It is a Trojan, that steals sensitive information. It can collect information, e.g. IMEI number, display resolution, etc, and send to a remote computer. This Trojan contains a URL address, which can be operated to add/remove records on bookmark, add records to shortcut list, collect and send out data, via HTTP protocol. |
Android.Trojan.GingerMaster | Hacker can use this high risk app to take control of the phone remotely. This high risk app was found as the first use of exploiting root on Android 2.3. It can bypass the detection of Anti-virus successfully. Once GingerMaster installed and got the root permission, it can connect to the remote command server and request for commands. It has an ability of download and installing apps without getting user's permission and notification. |
Android.AdWare.Ganlet | It is a high risk Adware. When the phone downloads and runs the app, it will download another data packet automatically and pop-up advertisement. The other versions of this Adware are also found as spyware and Information stealer apps. |
Android.AdWare.Leadbolt | It is a high risk Ad plug-in, which can steal user's private information, including phone number, call history, geo-location, etc. |
Android.SMSSend | It is a Trojan that sends SMS to a specified phone number without getting user's permission. Exact cost may be incurred in user's account. |
Share with