NEWS FROM THE LAB - Monday, June 27, 2011

Cloned Android Apps: Symbiosis or Parasitic? Posted by ThreatInsight @ 08:22 GMT

There was a recent report of a malicious Android package installation being hosted on a fake "Android Market"-lookalike site, which was pushed to users from an advertisement link.

The distribution strategy itself is not new. We saw variations of this happening with Google advertisements 2 years back, though in that case it was rogue or scareware that was being pushed by the advertisements.

What is interesting about the case is: Android application repackaging. We've seen this tactic being used quite frequently in the last few months, as it seems to be the favored "quick" way for malware authors to produce new Android malware.

What's also interesting is that this seems to be a popular way for developers to produce "new", clean applications. We've been seeing a rash of repackaged applications posted on the official Android Market. (Android apps are written in Java, and so they have a very low threshold for cloning, there are no real barriers to reverse engineer them.)

One example we saw recently is shown below, with the original app on the left and the repackaged app on the right:

original app repackaged app

original app details repackaged app details

The repackaged application has the same modules as the original, but includes an advertisement module. In some cases, there were no technical changes from the original application at all — just a change in the app name, of course.

Most of the repackaged apps we've seen are "clean" in that they don't have any malicious code included in them. So far, we also haven't seen any instances of the repackaged apps being distributed as paid apps.

Presumably, the point of the repackaging is to include the advertisement module, with the developers gaining some kind of monetary reward when users view or click through the ads being displayed.

However, since the repackaging was most likely done without the consent of the original developer(s), the repackaged app would probably be considered pirated, or at least intellectual property theft to the original developer.

This is still something of a grey area though, especially as Google doesn't actively vet every application posted on the Android Market. Whether most developers — and users — are going to consider these repackaged apps as just another side-effect of an "open market" philosophy, or conversely as rip-offs of a developer's honest efforts, is anybody's guess.

Threat Insight post by — Raulf