Android.Walkinwat is the first mobile phone threat discovered in the wild that attempts to discipline users that download files illegally from unauthorised sites. When downloaded and launched, the app displays messages as below:
Presented as a non-existent version (V 1.3.7) of Walk and Text, an application that is available on the Android Market, Android.Walkinwat can be found on several renowned file sharing websites throughout North America and Asia. One could make the case that this app was intentionally spread in these regions by the creators of the threat in order to maximise the download prevalence and convey their message to as large an audience as possible, however one could also make the case the creator of Android.Walkinwat is attempting to undermine the publisher of Walk and Text.
Once running the app, the user is presented with a dialog box that gives the appearance that the app is in the process of being compromised or cracked, when in fact, the app is gathering and attempting to send back sensitive data (name, phone number, IMEI information, etc.) to an external server. In addition, the app also sends out the following SMS messages to all the contacts in the contact list, as below:
Interestingly enough, the Trojan performs the above set of actions in a routine of Android.Walkinwat called ‘LicenseCheck’, something traditionally used by legitimate apps for license management in conjunction with a Licensing Verification Library available for the Android platform to help prevent piracy. The authors of the malicious code have taken an extra step to make sure that their app was obfuscated, which is another recommended measure to prevent piracy. The app then concludes with a final message to the user, reminding them to check their phone bill, as well as, providing an option of buying the legitimate version of the app from the Android App market.
Although this isn’t the first case of disciplinary justice being used as means to send a message against piracy, this is the first of its kind discovered on the mobile landscape.
or more details, please proceed to Symantec’s Security Response’s post on this.