Android Trojan Shames Illegal App Buyers, Steals Data

An Android app is masquerading as a malicious program to teach phone owners the perils of downloading pirated software from third-party markets or file-sharing sites.

The offending application touts itself as a nonexistent version of a legitimate application Walk and Text currently available on the Android Market, Symantec researcher Irfan Asrar wrote on the company’s Symantec Connect blog. Walk and Text v. 1.3.7 can be found on several “renowned file-sharing Websites” throughout North America and Asia, he said. Symantec has identified this mobile Trojan as Android.Walkinwat.

Collects Sensitive Data

The mobile application does not take control of the Android device, nor does it compromise user data in any permanent way, but it does collect personal information such as names, phone numbers and IMEI information, Irfan said. The entire purpose of Android.Walkinwat is to catch and embarrass individuals who download pirated Android applications rather than paying for the legitimate version from the Android Market, Asrar said.

Once downloaded, Walkinwat (v1.3.7) collects sensitive personal data as if it is going to send it to an external server. At this point, the user sees a screen that reads “Processing… Cracking…” followed by a dialog box with a scolding message.

“Application Not Licensed. We really hope you learned something from this. Check your phone bill 🙂 Oh and don’t forget to buy the App from the Market,” reads the message, with a link to the Android Market.

The Trojan tries to upload the collected information to an external server but Symantec researchers were unable to verify whether the data was actually sent each time, John Engels, principle product manager for enterprise mobility at Symantec, told eWEEK. “However, the fact of the matter is that it does try to send this personal information up to a server and we should assume it’s been successful with the uploads,” he said.

The application is not done with the user yet, as it then sends everyone in the contacts list an embarrassing SMS message: “Hey, just downloaded a pirated App off Internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck. Don’t steal like I did!”

Although Symantec discovered this Trojan horse on March 30, it appears to have made an appearance in February. A user posted a download link, MD5 hash of the file and a QD code to download Walk and Text 1.3.6 under a forum thread titled “Walk and Text v1.3.6” on Mobilism, a user-powered database of applications, games, movies and books for all mobile platforms.

Later in the thread, mirror links for v.1.3.7 (which does not exist) were posted, but identified by other users as being fraudulent. The Mobilism users seemed to be under the impression that the fake version of Walk and Text also came from Incorporate Apps, the original developers of the real application. It is not clear that is the case, as the developers requested in the same thread that these links be removed and for users to just buy the software legitimately.

Asrar speculated that the application was intentionally spread by the developers to maximise the number of people who see the anti-piracy message, or that the developers were trying to undermine the true creators. The developer has all the phone information of people who have downloaded the Trojan. The implication of that information falling into the wrong hands is a more than little worrying.

“Android.Walkinwat is the first mobile-phone threat discovered in the wild that attempts to discipline users that download files illegally from unauthorised sites,” wrote Asrar.

Ironically, the malware developers took steps to ensure Android.Walkinwat cannot be pirated. The Trojan employs a routine built into the Licensing Verification Library on the Android platform to help prevent piracy and the developers obfuscated the code, Asrar said.

The latest and legitimate version of Walk and Text on the Android Market is currently v1.5.3.