According to the old Chinese saying, the journey of a thousand miles begins with one step. And our path to revealing large-scale theft of VKontakte users’ personal data began with an email from a user asking us to take a look at a suspicious app.
At first glance, the VK Music app only displayed legitimate functionality – it played audio files uploaded to the social network. But further study showed that it also contained malicious code designed to steal VKontakte user accounts and promote certain groups on the social network.
VK Music was available for download at the official Google Play app store. By our estimates, the attackers could have used the app to steal hundreds of thousands accounts from users of the social network.
How this malicious program works
Immediately after running, VK Music asks users to enter their login and password for their VKontakte account so that the app can function on the site.
After users enter their login details the app sends them to the legitimate authentication server oauth.vk.com. If authentication is successful, the user can listen to music uploaded to the social network. At the same time, a Trojan sends the verified login and password to a cybercriminal server in ordinary text.
It should be noted that this method of transferring the logins and passwords could also result in them being used by other criminals, because the secure HTTPS protocol is not used.
The Trojan then contacts its server for a list of groups to be promoted by the attackers and immediately adds the stolen accounts to these groups.
In addition to promoting groups, the attackers can change passwords and use stolen accounts at their own discretion: we know of cases when victims of the Trojan lost access to their accounts on VKontakte after a period of time.
As mentioned above, VK Music could be downloaded from the official Google Play store. Such apps are very popular among Android users.
The first version of the malicious VK Music app known to us was published on Google Play on 16 August 2015. Then the versions were modified every 6-10 days. Only the package name differed for all the versions – the functionality remained unchanged.
The latest version known to us was published on 4 October. It was at least the seventh version of the malicious application; the earlier six modifications were removed by Google. At the same time, according to data in the Trojan code, it was the 15th version of the application. We cannot confirm that all those versions were published on Google Play; we have only seen seven of them.
What makes the situation worse is the ease with which the fraudsters upload every new version of the Trojan in place of those that are blocked.
By the next day the version published on 4 October already had an average score of 4.5 with more than 600 user ratings.
According to Google Play, the latest version was downloaded by between 100 000 and 500 000 users in just two days. Our data suggests that one of the earlier versions was 10 times as popular, meaning that version alone could have infected hundreds of thousands of devices.
For the user, the theft of his VKontakte authorization data will go unnoticed until the criminals decide to use the data and change the login/password or start sending spam from a stolen account.
We urge users to be careful and not to enter their login details in third-party apps. If you have installed VK Music or a similar app for listening to music on VKontakte, we strongly recommend you remove it and immediately change the login and password to your account on the network.
We reported the latest version of the malicious app to Google, and it has been removed. The groups promoted by the Trojan were blocked by the social network’s administration, whom we also informed.
All versions of the malicious application are detected by Kaspersky Lab products as Trojan-PSW.AndroidOS.MyVk.a.
Special thanks to Alexander Denkov for his help in detecting this malware.