Early research from Symantec estimates that spammers behind a new type of Android malware may have already stolen “between 75,000 and 450,000 pieces of personal information” from Japanese users. While these numbers may be disparate it does suggest the malware, , has been successful since popping up a few weeks ago.
According to a blog post this morning by one of the firm’s security researchers Joji Hamada, one website serving up the malware saw more than 3,000 visits last week while another similar looking, yet unnamed app store appears to be on standby.
As previously reported, the websites trick users into downloading apps by mimicking the Google Play market. One site even called itself “Gcogle Play” earlier this month before changing its name to “Android Express’s Play,” according to an older blog entry on the malware. Links to the faux markets have been circulating in spammy Android newsletter emails since the beginning of the month.
When users download any of the infected apps, the phone’s information is harvested. Each device’s number along with the emails and names stored in the phone’s contacts section are remotely uploaded.
Despite recent mobile malware arrests in Japan, Exprespam joins a slew of Android malware variants that have popped up and tricked users into downloading bogus apps over the last couple of months. Enesouty, first discovered in early fall and Dougalek, discovered around Halloween, have both been spotted sniping user’s information.
For more on Exprespam, including a summary of how Hamada deduced how many users were infected by the malware, head to Security Response.