I got an email on my work email account last night that simply said:
Hi! (URL REMOVED)
The URL (that I removed for internet safety) was the name of a bar, and working for a restoration company it looked like it could have been something important. So I did what I thought was “safe” and I clicked the link on my phone. It did a bunch of redirects and the page that I ended up at was a .RU page, which for those that didn’t know is Russia.
It then immediately popped up and tried downloading an .APK file called “security.update.apk”.
An .APK file is the extension used for a packaged Android executable file – in laymans terms it is an android app.
This made me curious, and I thought that I was curious what it would actually do, so I cleared myself out of the screen on my own phone and grabbed one of the Sprint Store demo phones. This is one of the benefits to working at a Sprint Store is that you have access to a bunch of phones to test stuff on…
I went to the site and downloaded the app. It is also important to note that on the stock browser for Android (not Chrome)there was NO security warning like in the picture above. It simply just started downloading the app.
I am assuming the popup is generated by Google because (at one point) I chose to have Google scan apps as i download them or install them. As you first setup your phone it will give you a popup question asking if you want to take part in this. Based on my experience here I would say it is a good idea to allow it to scan your apps…
BUT, since it was NOT my phone I decided to ignore the good advice and install the app anyway.
The permissions that it wanted access to were:
- Full network access – Which I would assume is so that whatever information it mines, it will be able to send that information back to their servers…
- Run at startup – Which would allow the app to remain running even after a reboot.
I proceeded to click install and for a moment nothing happened. It just kind of sat there and did nothing. No smoke, no crazy menus, NOTHING.
Then a notification popped up. It was a “Google” looking popup that gave me a message saying that my gmail account login had failed and I needed to reenter my password. I found this funny since I had just emailed the link from my phone to this phone just moments prior.
I just cleared the notification, decided that the fun was over and did a hard reset on the phone.
It is important to note that the phone i tested this with had no data on it. Just a couple of media players and simple apps. The gmail account doesn’t even have any contacts, so there was no worry as to it spamming contacts, or anything like that. A completely safe environment…
Hopefully this might give someone a little education on how these hackers do their work, and how to avoid your information getting compromised.