Somewhat controversial websites or apps called chat friend finders, or ID BBS (Bulletin Board System) are spreading widely in Japan. They allow users of well-known communication services like LINE and Kakao Talk to make friends with others by publishing profiles and service IDs, yet without disclosing real phone numbers and email addresses. Such sites and apps are not officially supported by the service operators and are usually discouraged, due to the potential danger. It appears that some users are being involved in crimes caused by criminal “friends.”
McAfee Labs has recently found suspicious chat friend finder apps on Google Play that target Android device users. These apps allow users to register and publish their IDs for several well-known communication services but at the same time secretly leak personal information such as phone numbers and Google account names (Gmail addresses in most cases).
Some of these apps seem to mainly target Japanese users because they support a Japanese interface, as well as some other languages, and also support a Japanese-specific communication service like Mixi. On the other hand, we guess that the apps were created by Korean-speaking developer(s) because the Japanese is sometimes unnatural and we can see Korean chat messages. Plus, the common server used by all of these apps appears to be located in South Korea, according to its IP address.
The contents of the apps description page on Google Play look as if they were copied and pasted or reused from similar Japanese apps with slight modifications. For example, the page says users should accept the terms and conditions in the app’s dialog box at initial launch–yet there is no dialog box. We doubt these apps are carefully or securely designed.
One of these apps allows users to publish their service IDs for LINE, Kakao, Mixi, and Skype as well as profile information like photograph, nickname, gender, and residential area. These pieces of information are disclosed to other users on the apps, enabling one to approach or to be approached by others. The apps also support chatting.
However, these apps secretly send users’ phone numbers, email addresses (Google account name), IMEI, and SIM serial numbers to a server managed by the app developer. Clearly, there is higher risk in storing personal information like phone numbers and email addresses in a form associated with various service IDs, public profile information, and chat contents than in storing that data separately. Once this data is leaked, malicious parties can approach specific users using their phone numbers or email addresses, and knowing the victims’ preferences or activities in various communication services.
The secretly collected personal information and its association with various IDs and user profile information are not disclosed to users. As always, there are risks that security vulnerabilities in the apps or their data management server could cause the information to leak to malicious third parties.
At installation these apps request many kinds of permissions. These requests seem excessive for the functions of the apps. The dangerous information leak is related to only two requests: READ_PHONE_STATE and GET_ACCOUNTS. The remaining requests appear to be used by ad modules in the apps or may be unused.
Users should be very careful about permissions requested by Android apps, and also confirm that the app provider is trustworthy before providing any permissions.
Using chat ID BBS sites or apps, even without information leaks, is dangerous. These new apps will expose careless users to much higher risks of having their personal information associated with anonymous IDs and various messaging services. If users really want to use chat ID BBSs, we recommend that they visit simple websites rather than use apps to prevent unnecessary information leaks.
McAfee Mobile Security detects these suspicious apps as Android/ChatLeaker.F.