A fake Apple iMessage app for Android platform is concerning mobile developers and security experts. The app was initially published on the Google Play store but it isn’t the Android version of the popular instant messenger service developed by Apple Inc., it is a free application credited to a guy named Daniel Zweigart.
The app has been pulled from Google Play according to a Google spokesperson, but it is still available on numerous third party sites, including download.com. The fake iMessage app for Android allows users to interact with Apple users, but it stealthy elaborates users’ data on the developer’s server hosted in China.
“Every packet from Apple is forwarded to 126.96.36.199, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what’s happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.”
The author of the App managing the hosting server is able to read all message content, user credentials and possible Apple ID account information including credit card numbers.
The mobile developer Jay Freeman wrote an interesting post a his Google+ page in which provided more information on the mysterious app.
“This not only means that Apple can’t just block them by IP address,” “but also that they get to keep the ‘secret sauce’ on their servers (and potentially just run Apple code: there are some parts of the process in Apple’s client code that is highly obfuscated). “Clearly, this is suboptimal from a security perspective,” Freeman wrote.
The malicious iMessage app for Android more surprises, according mobile developer Steven Troughton Smith it is also capable of downloading additional Android APKs in the background, circumstance that alerted security experts due the possibility to install malicious payloads on the victims mobile.
Software engineer Adam Bell added further information on the behavior or the mysterious app
“I can definitely confirm it can download APKs and patches in the background,”“As far as I saw no credit card info is touched (locally on the device anyway), but when you log in or send an iMessage, all data is sent to a server in China first, acting of some sort of MITM, so who knows what they’re doing with that.”
Bell also said that the app spoofs chat requests as a Mac mini.
“It may be that they’re using Mac Minis to forward the requests, or it may be just as simple as hiding the extra phone traffic as Mac Minis to go unnoticed,” Bell said.
Personally I think that most concerning aspect is that the iMessage app for Android had been published on the official Google Play for less than a month totaling at least 10,000 downloads.
Cybercrime is manifesting an increasing interest in mobile devices, a capillary diffusion and lack of awareness on risks related to principal cyber threats for mobile users makes these platforms privilege targets.
On May APWG published an interesting study, titled APWG Mobile Financial Fraud report, on the underground marketplace that revealed the explosion of prolific mobile fraud malware market.
The report confirmed the expansion of the black market for mobile malicious code and cases like the one proposed in this post are the confirmation of a concerning trend.
(Security Affairs – iMessage app for Android, mobile, cybercrime)