A malicious Android application that was posing as a development tool was stealing users’ media files for over a year, researchers at Symantec warn.
The offending software was being distributed via Google Play, the official app storefront for Android, where it was posing as a development tool called “HTML Source Code Viewer,” published by Sunuba Gaming. The application had between 1,000 and 5,000 downloads when researchers discovered its nefarious activities.
Instead of offering development capabilities to unsuspecting users, the program was grabbing photos and videos from the compromised devices and was sending them to a remote server, Symantec researchers discovered.
To ensure that it could perform its malicious activities unhindered, the program requested a series of permissions that should have tipped users off on its hidden agenda. These include the ability to open network connections, access to information about networks, the permission to read from external storage, and the permission to write to external storage.
This is the second media-stealing app that was found in Google Play over the course of a month, after a piece of software called Beaver Gang Counter was found in late June to be engaging into similar behavior. That application, however, was targeting photos and videos from the popular social media app Viber.
The newly discovered malicious program, on the other hand, is targeting all of user’s personal photos and videos by searching for the files stored in “/DCIM/Camera” and “/DCIM/100LGDSC/” folders, which are the standard locations for this type of content. All of these files were then uploaded to a web server hosted on proqnoz.info, researchers say.
What’s more worrying than the fact that the server contains a great deal of personal photos and videos stolen from victims is that some of these files are dated as far back as March, 2015. “This personal media could be used for blackmailing, ransomware attacks, identity theft, pornography, and other forms of victimization,” Symantec’s Shaun Aimoto explains.
The security researchers also discovered that the attacker’s server is hosted in Azerbaijan and that the malicious application is targeting Gingerbread and newer versions of Android. Google was informed on the nefarious activities the HTML Source Code Viewer application was engaged into and has removed it from Google Play.