Six men suspected of running an adult site and serving Android malware through it have been recently arrested by the Tokyo Metropolitan Police Department, and the website in question has been shut down.
But, as it turns out, there are at least two other websites out there that are affiliated with the one that was removed from the Internet.
“While there are countless numbers of sites aimed at scamming computer users, there have only been a handful of sites designed for smartphones to date. Out of those, we are aware of at least two sites affiliated with the site operated by the arrested men, and they are up and running at the time of this writing,” points out Symantec researcher Joji Hamada.
“These sites are affiliated in the sense that they host the same web application to deliver almost identical malicious Android apps. They share the same source code, but are customized for each site.”
The sites are also poorly protected, and that allowed researchers to root through the source code and unearth victims’ PII contained in it, as well as the developer’s (one Hiroki Kyama’s) personal and account data which was unexpectedly strewn through the scripts used in the app.
“It did not come as a surprise when I found out that one of the men arrested by police was Hiroki Koyama, as it is his details that I found in files on the sites. But it was surprising to see the two sister sites were still up and running after the arrest,” Hamada commented.
“I had originally thought it was the same group of operators jumping from domain to domain as they were being shut down for their malicious activities. I did not realize there could be multiple parties involved.”
And if the statistics about the registration of the malicious app are to be believed, some 56,000 users have downloaded and installed them. It seems that only a couple thousand have actually fallen for the scam and paid the 99,800 yen (around $1,256) fine via bank transfer, but it is still enough for the scammers to feel like rich men.