A Clever Malware Tactic and Why There’s Nothing You Can Do About It

As the owner of a mildly successful Android app, I sometimes get emailed about advertising, marketing, or acquisition opportunities. The messages usually propose some sketchy advertising partnership or pitch me some SEO work, and they’re pretty easy to weed out and ignore.

How I found a scam

I recently had an interesting encounter. It started off with another cold email. For context, I’m trying to cash out on my app by selling it.

Hi Will

I would like to purchase your brick breaker app listed on https://play.google.com/store/apps/details?id=com.RobbinsDev.Brick_Breaker

http://www.selltheapps.com/source/app/2614.php

My offer would be USD$500

Please let me know if this acceptable

Thank You,

Gabriel

Interesting. Not too many red-flags popping up yet. I responded quickly. School’s about to start and if there’s opportunity for a deal, I want to get it done ASAP (so don’t judge my utter lack of negotiation!).

Yes, I can accept that offer.

What information would you like from me?

A couple hours later:

Hi Will,

Great!

Do you have screenshots for

1. Total lifetime installs

2. Current installs by user by country breakdown

3. Total current installs

So I send the screenshots and get this back:

Hi,

Thanks for the screenshots.

Let’s proceed with the purchasing with the agreed price of USD500

I have the following payment methods available

1. Bank transfer/wire

2. Credit card

3. Skrill

4. Paypal

Let me know which method is comfortable for you and we can proceed with payment and app transfer

Thanks

Gabriel

Hmm, it feels like we’re jumping the gun. Any competent businessperson would ask about IP rights or obligations. I forwarded the email chain to a friend with some comments:

But their website is a shell and was registered on Aug 7 [actually it was registered 2.5 yrs ago, I misread the record] through DomainProxy according to the whois

Can’t find any info on the leadership of this company

The time zone places them in Asia. But the names on the website/emails are gabriel, calvin, and tony which aren’t Asian

The wire transfer requires my acct numbers which is a bit sketchy

The other payment options can be reversed super easily

I think that finding apps then offering to buy them is an uncommon scam strategy

I’m not sure what their desired endgame is. Steal the app by reversing payments? Get my acct. number for the wire, then print checks with it?

I start doing more in depth research on this guy. Not much comes up when I scour the web for his personal information and business records. I manage to convince him to chat over Skype, and we talk about his background and what he plans to do with the app.

I can’t get a single substantiative answer to my questions. As far as I can tell, everything he told me was a lie. Clearly this guy’s not legit. But at this point I’m too curious. What’s he up to?

A few more back/forth inquisitive emails accomplished nothing. I finally responded:

Hi Gabriel,

I’ve decided to not move forward with the deal.

You said that your company has been around for 10 years [on the Skype call] when it’s only been around for about a month. I’m not sure what exactly is going on (swapping the app out for malware?), but I can’t be a part of it.

Will

He sent back a few emails weakly defending himself and offering a different shell company to try and back his reputation. Here’s the smoking gun (emphasis mine, of course):

Could you enlighten me as well what is the real concern about? As the app purchase does not reveal any of your personal information and it is alright if you don’t wish to provide the original source code.

What’s going on, and what this means for broader security risk

Here’s the scammer’s game-plan:

  1. Find an Android app with a lot of users
  2. Purchase that Android app
  3. “Update” the app with malware (you don’t even need to buy the original source code!)
  4. ???
  5. Profit

This concerns me for two reasons.

I’ve had 3 “online advertisers” with non-existent reputations contact me in the past couple of months looking to buy Brick Breaker Free. I never had a problem with that previously, so it looks like this strategy is catching on. This also implies that it’s profitable.

Second, users can’t do anything to fight this scam. One day, you’re playing a fun game on your phone. The next day, you update to the latest version (I’m sure it’ll mention “bug fixes” or something similarly innocuous) and BAM! Malware.

From the development side, I know how tempting it is to just sell an app without due diligence. It’s not hard to see through these people’s shenanigans, but what if someone doesn’t know what to look out for, or what if they just don’t care? What if the scammers become more sophisticated and well-versed in business etiquette?

I just don’t see any way to easily prevent this from occurring.


Thoughts? Tweet me at @whrobbins or find my email at willrobbins.org!