Questionable Android Apps -- SndApps -- Found and Removed from Official Android Market

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
On July 4th, 2011, my research team came across five questionable Android Apps in the official Android Market. These five apps share a common suspicious payload -- SndApps. This payload does not attempt to root users' phones. Instead, it is lurking in host apps to stealthily upload users' personal information such as email accounts as well as phone numbers to a remote server without user's awareness. (NOTE: the hosted apps do not need the related permissions for their normal functionality.)

How it works

The SndApps payload can be started when the infected phone finishs booting or an app is being installed from Android Market. Once started, SndApps will collect user's personal info including the phone number as well as email addresses and send them information to a remote server.




Based on our initial analysis, SndApps has a built-in referencing mechanism to promote other instances of SndApps on the Android Market. Specifically there is a special icon in the instance of SndApps. When the user clicks this icon, it will lead to a list of other SndApps instances marked with "FREE" and "No Ads" in their descriptions to attract users for their downloading and installation.

Follow-ups:

Last modified: July 15th, 2011