Symantec has discovered an app on Google Play that steals photos and videos from the popular social media app Viber. Beaver Gang Counter masquerades as a score keeping app for a popular card game but secretly searches for media files related to the Viber app and sends them to a remote server.
Figure 1. The Beaver Gang Counter app steals Viber media files
Say cheese!
When we reverse-engineered the app we identified malicious activity.
Figure 2. Code found in the Beaver Gang Counter app that steals Viber media files
The app is equipped with code that enables it to search directories that Viber uses to store images and videos. After the media is collected it is sent to a remote webserver.
Viber is an extremely popular social media app with over 500 million installs on Google Play alone. The data stolen by the malware could be used for a number of nefarious purposes such as identity theft, blackmail, fraud, or pornography.
Wait for it…
A deeper look at this app also identified a tactic that’s becoming more prominent in the wild: time-delayed attacks. For this particular app, the command and control (C&C) server is queried to check if the media files should be collected. This allows the criminals running the server to enable and disable the malicious behavior at will, circumventing the dynamic analysis of security vendors and potentially Google Play’s Bouncer app-vetting service. Symantec security products detect this threat as Android.Vibleaker.
Figure 3. Phoning home to see if it’s crime time
As more and more of our work and personal lives move onto our smartphones, we’re seeing the emergence of new and greater risks to consumers. With increasing sophistication malware authors are taking advantage of the wealth of personal information travelling around in our pockets.
Having photos or videos stolen and leaked online is a phenomenon that’s familiar and understandable to mobile users thanks to the news of hacked Apple iCloud accounts and the leaking of celebrity photos some time ago. The discovery of the malicious app discussed in this blog demonstrates that having photos stolen from your device is also a risk Android users need to be aware of.
We alerted Google to this issue and in response they removed this app and developer from Google Play.
Mitigation
Symantec recommends users follow these best practices to stay protected from mobile threats:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
- Pay close attention to the permissions that apps request
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data
Protection
Symantec and Norton products detect the threat discussed in this blog as: