ANDROIDOS_EXPRESPAM.A

This malware is downloaded from a site that mimics Google Play. The app names it uses copy legitimate app names and uses legitimate apps' descriptions to further trick users into downloading and installing the apps.

It steals the user's phone number and contacts. The stolen information are sent to two different URLs.

Arrival Details

This Trojan may be downloaded from the following remote sites:

• http://{BLOCKED}trctrbcbrd.com/play/ebifriday.php
• http://{BLOCKED}trctrbcbrd.com/play/saisokujyuuden.php
• http://{BLOCKED}trctrbcbrd.com/play/check.php
• http://{BLOCKED}trctrbcbrd.com/play/kantannenga.php
• http://{BLOCKED}trctrbcbrd.com/play/miracleface.php
• http://{BLOCKED}trctrbcbrd.com/play/100zettaikisyo.php
• http://{BLOCKED}trctrbcbrd.com/play/fukubukuro.php
• http://{BLOCKED}trctrbcbrd.com/play/iPhone_Converter.php
• http://{BLOCKED}trctrbcbrd.com/play/safe_battery.php
• http://{BLOCKED}trctrbcbrd.com/play/install/wrehifsdkjs.apk

NOTES:

Once user installs this malware, it displays アプリの初期設定を行っています、しばらくお待ちください.., which is loosely translated as Under default setting of the app. Please kindly wait for a while.. While it fake installs on the phone, it steals information such as the user's phone number and contacts.

The stolen phone number is sent to https://ftukguhilcom.{BLOCKED}t.com/cgi-bin/confirmUserData.php, while the stolen contacts are sent to https://ftukguhilcom.{BLOCKED}t.com/cgi-bin/registerAddressData.php.