Earlier this week, the Chiba Prefectural Police in Japan arrested nine individuals for distributing spam that included emails with links to download Android.Enesoluty – a malware used to collect contact details stored on the owner’s device. The arrested men include Masaaki Kagawa, the 50-year-old president of the Koei Planning, an IT firm located in Shibuya, Tokyo. He is also apparently known as an avid poker player who participates in poker tournaments worldwide and has earned over a million US dollars in these competitions. He appears to be the main player running the operation. His passion for taking chances and risks has paid off in the game of Poker, but it’s not looking good for his gambling with Android malware. Kagawa and his associates now await a likely prosecution.
From our observations, the operation began around September, 2012 and ended in April, 2013 when authorities raided the company office. We confirmed around 150 domains were registered to host the malicious apps during this time span. According to media reports, the group was able to collect approximately 37 million email addresses from around 810,000 Android devices. The company earned over 390 million yen (approximately 3.9 million US dollars) by running a fake online dating service called Sakura site in the last five months of the spam operation. Spam used to lure victims to the dating site was sent to the addresses collected by the malware.
Symantec has closely followed the Enesoluty scam since July, 2012. Details of events can be found in the following blogs:
- Anime Character Anaru Exploited to Help Steal Android Contact Details: Published on July 27, 2012.
Symantec ‘s observation of the operation began with a discovery of the variant used to run a testing phase. Development of the scam appears to have begun around June, 2012.
- Anaru Malware Now Live and Ready to Steal: Published on September 07, 2012.
The operation then went live with two fake apps being hosted on fake Google Play sites around the beginning of September, 2012.
- Fake Antivirus App Steals Contact Data on Mobile Devices: Published on September 25, 2012.
A new malicious app was developed and added to the line-up.
- Android Malware Continues to Thrive in Japan: Published on December 03, 2012.
Enesoluty scammers continued their malicious deeds even after the arrests of two different groups stealing contact details using Android malware.
- Android.Enesoluty Adds a User Agreement: Published on December 10, 2012.
A EULA was added to the fake Google Play app pages to evade a potential action by law enforcement.
- Lime Pop: The Next Android.Enesoluty App: Published on March 25, 2013.
The fifth malicious app was developed and added to the line-up.
We also believe Android.Maistealer and Android.Enesoluty share common source code with another malware, called Android.Uracto, and that a different group of scammers were maintaining the latter, as the distribution strategy of the malware differs considerably. It is believed that this other group has yet to be identified, so there will probably be another few twists and turns to this story in the future. Details of the scams performed by Android.Uracto can be found in the following two blogs:
- Android.Uracto Used to Trick Mothers, Anime Fans, Gamers, and More
- Android Malware Spams Victims Contacts
To conclude this blog, we would like to commend the Chiba Prefectural Police for making this arrest. Symantec has been working in cooperation with the investigators to make this arrest happen and will continue to assist in the prosecution and sentencing of the criminals as needed.