Fake Android app steals data, takes shot at pirates

A malicious Android app that masquerades as a free version of a legitimate app steals data and sends spam text messages and a warning that chastise the user for trying to get around paying for the actual app, Symantec said today.

The app, available on several file-sharing sites in North America and Asia that are known as clearinghouses for pirated software, is called Walk and Text. That's also the name of a legitimate app--available on the Android Market for $1.53--that uses a device's camera to let people see what's in front of them as they text while walking. However, the bogus app is labeled as version 1.3.7, which doesn't exist yet, according to a Symantec blog post.

Once the fake software--which Symantec has dubbed "Android.Walkinwat"--is downloaded and running, it displays a dialog box that indicates that the app is in the process of being compromised or cracked, ostensibly to scare the person who thinks they're getting the legitimate app for free. Behind the scenes, the software is gathering sensitive data--including username, phone number, and unique device identifier--and trying to send it to an external server, Symantec says.

The app also sends out a text message (rife with misspellings and errors) to all the numbers listed in the user's contact list: "Hey, just downloaded a pirated App off the Internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck.Don't steal like I did!"

The app also displays a message that says "Application Not Licensed" and warns: "We really hope you learned something from this. Check your phone bill;) Oh and don't forget to buy the App from the Market." It includes buttons for buying the app or exiting.