Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

March 21st, 2011

Android is calling: Walk and Text and be Malicious

Our original blog entry about an malicious version of an IncorporateApps Android application called “Walk and Text” generated some very contentious comments from the author/distributor/publisher of the legitimate application. So, we decided to rewrite the posting to make things a bit clearer:

One of our analysts received (from one of their friends) the SMS that you see down below. We thought it was intriguing and we decided to investigate. We found the infected “Walk and Text” application on the internet (it is not of course on the official Google marketplace) and tore it apart.

We initially thought it was just a classic Android Trojan. Since the bad guys do like to hide viruses/Trojans inside pirated applications, this seemed a very reasonable explanation. The application was also signed but with a profane signature and thus there was no way it would ever be published on a legitimate marketplace. It did two things. First, it sent the above-mentioned SMS to the contacts in the user’s Android phone contact book.

Second, it stole the personal information from the Android phone and sent it elsewhere on the Internet:

While stealing personal information is definitely a hallmark of a Trojan, the embarrassing SMSs are not. Trojans placed by bad guys usually operate quietly as they are designed to gather information without the user knowing. Sending such a SMS to the contact base just immediately tells the user that they have been “caught”. And of course, the user is left with the bill for all the SMSs that were sent. So, while it is a Trojan, it also seemed designed to punish the user of the pirated application.

As you can see in the above code, the personal information is being sent to a URL ostensibly belonging to IncorporateApps (http://incorporateapps.com/wat.php). Now of course, if a bad guy wrote this piece of malware, they could put any URL (including ours) they wanted into the application. So, we checked into this URL and discovered that it was probably live—no page loaded but there was also not a 404 so something was probably there and it was potentially collecting the personal information. After the original blog entry was made, this behavior changed and the warning page you now see at http://incorporateapps.com/wat.php was stood-up.

So we then try to find out who IncorporateApps is and to contact them. The obvious place to check is www.incorporateapps.com. However, that website is just a stub—a couple of pictures, no links, no text, and no contact information. We then check the Android marketplace (https://market.android.com/developer?pub=Incorporate+Apps) and find no contact information but rather just a link back to the stubbed website.

Next, we checked the registration of www.incorporateapps.com and see some red-flags: semi-anonymous, no email contact, possibly eastern-european but registered in Germany, and registered through Tucows. While there are many legitimate reasons for these attributes, unfortunately it also fits the profile of bad-guy registrations.

So, what is this and who put it out? We see three possible explanations:

  • First, it could be malware put out by a bad-guy. While it does not have the classic behavior of a bad-guy Trojan—as it provides nothing of value to the bad-guy, it does have the ability to embarrass/punish IncorporateApps and maybe that was the intent. If so, it would be very interesting as out of the hundreds of thousands of pieces of malware we see, it would be first with this purpose.
  • Second, it could be designed to gather user’s personal information. This does not seem too credible for two reasons: the application could not be widely distributed as it quickly informed the user that it was malware. And second, the information was obviously going to an IncorporateApps URL.
  • Third, it could be someone’s (not necessarily IncorporateApps’) attempt at an anti-piracy measure. Piracy is of course the scourge of the software industry and many software developers have probably fantasized about doing something to punish users of pirated software.  This application seems perfectly designed to do this: It costs the user money for the SMSs that are being sent; it embarrasses the user with his/her friends; and it provides tracking information about who has installed the pirated product.

Of course, whether it is any of these three things—or something else—only its author knows for sure.

This is just an example of the dangers inherent in the open Android application marketplace. While users can be reasonably certain that Android applications distributed through a legitimate marketplace are clean, users should not be assuming that Android applications obtained elsewhere on the internet are clean. And of course, there have also been widely publicized examples of Trojan/virus behavior on applications distributed through official marketplaces.

 

  1. nmb
    March 22nd, 2011 at 13:54 | #1

    Seems that Android version of avast is not too far ;)

  2. March 22nd, 2011 at 19:58 | #2

    Hello,

    We can assure you that the APK file which you are reviewing was not posted by us! We have no idea why somebody will try and put bad publicity on our Apps or company. There is also no such php file on our servers!
    We argued about a previous version of our Apps being stolen and hijacked on numerous forums and I guess people tried to get back on us in some way. This particular version of the APK is being spread like a worm all over the place and we have no control over it as it is on numerous packages found on torrents all over the place.
    We however managed to pull out some of the cracked versions from fileservers (with huge efforts)
    As you can see we have numerous Apps on the Market and you are free to download any of them and see if there is anything wrong with them!

    As for the website, it is still in development and we hadn’t have time to put it online yet, but make sure that it will come soon!

    We would appreciate it if you contact us directly and also take the article from the net!

    Thank you

  3. March 22nd, 2011 at 20:36 | #3

    @incorporateapps
    Hard to believe as the url was giving me other than 404 reply in the past.
    Also, how do we contact you, when you have no contact info in your Market profile, no contact on your webpage, no contact in your webpage’s sourcecode and hard-to-believe contacts in your domain registration data?

  4. March 22nd, 2011 at 21:37 | #4

    Jindřich Kubec
    Sorry but this is total B…!

    We have contacts on the Market – numerous contacts can be found on every page of every App. Every single App on the Market and ours as well has direct contact underneath in the Market App. Did you download the original App from the Market? We have a direct contact email link on our Apps
    Here are all our Apps, download and have a look:
    https://market.android.com/developer?pub=Incorporate+Apps

    We receive hundreds of emails and answer within 24 hours to every email from our Support emails.
    I dont understand how our webpage ” looks kind of strange” – ok there is no website at the moment, because we are busy doing the Apps, but the website is coming do not worry!
    I am not sure why the whois shows another email, I will contact the company we registered the domains with. There is however a telephone number and an address – have you tried contacting us on the “hard-to-believe” phone number? No!
    The website represents one of our featured apps Spoty
    https://market.android.com/details?id=apps_featured

    So how come you and your company think that our company is putting malicious software and Google isn’t and is featuring our Apps?
    To remind you, to be featured on the Market you have to put out something really interesting to be noticed by Google.

    Here is the direct link to the file you are putting as our own
    http://incorporateapps.com/wat.php

    We just added it today!

    I am not sure why there wasn’t a 404 error, but as your professional as a blogger is somewhat considerable after this article I can’t be really sure that you visited the page in the first place.

    So how come you have this cracked version of the file and never downloaded the original APK from the Market? Go ahead download it and review it! We have thousands of customers, do you think they have sent numerous SMS messages and they never noticed this?
    I can clearly see how a company like AVAST has interest in spreading fear among the community, but this is not the way to go!

    We once again demand to put this article down immediately, we have contacted our attorneys to investigate on the matter. Spreading false claims on the internet and such behavior is “illegal” and not in “some countries”, but in the whole of the EU!

    Please remove the blog post!

  5. March 22nd, 2011 at 21:41 | #5

    We also demand putting another article and twitter posts stating that your original article was making false accusations to our Apps and company!

    Thank you!

  6. March 22nd, 2011 at 21:57 | #6

    Could you please publish my other comment as well!
    thank you

  7. March 23rd, 2011 at 01:19 | #7

    We find it offensive that you deny us the right to an answer by not publishing our reply and not removing this false article!
    Insinuating that our Market App has anything to do with this cracked app your colleague has download from pirate websites (also illegal!) in favor of spreading fear and pushing your products is disturbing!

  8. March 23rd, 2011 at 15:00 | #8

    Georgi, I will modify the blog entry and add a paragraph from you. Can you please provide such a paragraph that answers:

    Can you please reply to some questions?
    a) The link was not giving 404 when we tested that. What happened to the personal collected data which were sent by this app? How many logs you’ve got? This must be at least logged in servers logs.
    b) Where on your website is your contact?
    c) Where in the website sources is your contact?
    d) Where in the domain registration is your contact?
    e) Where on the Market is your contact?

    I still don’t believe we’re spreading false claims. We described only facts about the application (verifiable), we’re seen the spyware behaviour inside and this _IS_ sending data to your website (verifiable). You don’t have in usual public places the contact info (verifiable).

    So please reply to the above questions and tell me what exact (short) statement you want to make about this.

  9. March 23rd, 2011 at 15:02 | #9

    You are making false claims:
    A) You never mentioned that the APK you are reviewing was downloaded from a torrent/pirate fileserver etc. You claim that the file was downloaded from the Market. This is a LIE!
    B) You also insinuate quote: ” since they are collecting not only money but also our private information”. We provide Apps on the Market and Market alone and we do not collect “private information”. If you colleague is downloading cracked Apps than this is his problem and we have no control over anything other than the official Market. Period!
    C) We have zero logs as there was no such file collecting such data from this cracked APK file. Period!
    D) Our website is just a QR Code for our Featured App – consider it “under construction” website. There is going to be contacts and everything coming, we do not put contacts on under construction websites!
    Our contacts could be found under the domain (name and phone number), and under each of our Apps on the Market and within the Apps themselves we have direct links!

    Every App can send data to every fileserver if they want. You can put that APK in under 2 minutes and send data to avast if you care to, so what are you proving here?
    Where did you get this APK file from? “3rd-party application stores”? We only have our App on the Official Android Market!

    I saw that you bought our App from the Market – unpack it and state right here on the BLOG if this malicious code is on the official file. The latest version on the Market is from 17.03.2011

    We still demand this blog post removed, as you:
    A) Falsely accuse our Android Market App of collecting private information (LIE!)
    B) Never contacted us about this Blog (Confirmed)
    C) Downloading cracked APKs from anonymous places and falsely insinuating that they are from “3rd party App Stores and posted by us (Confirmed!)

  10. March 23rd, 2011 at 15:09 | #10

    Please contact us directly through our email or telephone number to continue this discussion.
    Your CTO Ondřej Vlček should have our contact details.

    Modifying the blog entry is not going to be enough I am afraid.
    168 People have linked this on their facebook pages, thousands receive this as a RSS Feed which is clearly putting bad publicity on our Company!
    We demand you take down this article and put another one explaining that our Company has nothing to do with this file and that this malicious APK is a cracked version of our App!
    You can even put a disclaimer for people to not download our App from un-oficial sources if this will help!

  11. March 24th, 2011 at 13:46 | #11

    This is outrageous!
    We are going to file a law suit against your company for this false article!

    Every App has a direct link to the developer – visit the Market from an Android device and not the online market and you will see, who are you kidding here?!?
    And insinuating that “an eastern european guy, registered in Germany” is raising Red Flags is not only racist,idiotic or who knows what else, but also puts a whole new twist to your company as a whole.

    We tried to contact any of the concerning parties writing this article and our calls are being blocked and we are denied any reference. To clarify this – our calls are being blocked!

    We consider your company a big hoax and once again are looking into ways of filing a law suit here and in the CZECH REPUBLIC, an Eastern European Country.

  12. Aethec
    March 24th, 2011 at 20:11 | #12

    @incorporateapps: Having to visit the Android Marketplace and not a web site to find contact info, when most people don’t have an Android device, is rather strange. Just my 20 pence (before you start shouting, I am not affiliated with Avast Software or whatever).

    @Jindřich Kubec: Out of curiosity…did you decompile the officially available app, too? Maybe it does the same thing, which would explain the sending address.

  13. March 25th, 2011 at 05:42 | #13

    “This is outrageous!
    We are going to file a law suit against your company for this false article!”

    I learned a long time ago that talk is cheap and actions speak louder than words.

    I’ve known Avast long enough to know that they aren’t going to publish something unless they are absolutely sure of the statements they make without have the facts to back them up.
    Just my 2 cents. :)

  14. March 25th, 2011 at 07:44 | #14

    I agreed with Bob,

    If your never did such as described in article, why you should be afraid and talk a lot of useless things in this blog?

    But instead of that, if you always speak loud and put a lot of information to blame AVAST or others company so that’s claimed you did this by your words. So just carefully to blame and judge others without corrected and improve yourself.

    cheers,
    Yanto Chiang

  15. March 25th, 2011 at 12:44 | #15

    Well,
    Mr Gostischa, Chiang, it is very clear that you are obviously AVAST affiliates (and probably on a payroll/or any other way related to AVAST, simple click on your links reveals this – One offers seminars on AVAST and the other is selling their products) so it is probably obvious your interest in your comments.
    I leave it to the smart people out there to judge your comments.

    Best regards.

  16. igor
    March 25th, 2011 at 15:31 | #16

    Mr Gostischa, Chiang, it is very clear that you are obviously AVAST affiliates

    Which they are not trying to hide. Pity the same cannot really be said about you…

    I leave it to the smart people out there to judge your comments.

    Don’t worry, I’m sure the smart people out there are certainly reading it right.

  17. March 25th, 2011 at 15:55 | #17

    Which they are not trying to hide. Pity the same cannot really be said about you…

    Hide that we are affiliate to AVAST? Doesn’t make any sense really

    To answer Mr Gostischa with Facts:
    - AVAST have built their whole article around a cracked APK dl-ed illegally from unnamed sources (we are to see this APK file and the source be named) They never stated that it was a cracked file in their original Article!
    - AVAST have falsely claimed in their original Article that they downloaded the file from the Market and that quote “the company takes the money and steals personal information”. Something which can very well be proven to be a Lie. No AVAST staff member has ever downloaded the oficial file prior to the Article.
    - AVAST falsely claim that we have no contact details. Once again those are easily accesible. They also claim that DomainFactory GmbH, the Company we registered the domain with, is “suspicious”. Just to remind you that DomainFactory GmbH has more customers than the entire population of the Czech Republic, so I don’t know what this speaks for the Czech Republic than…
    - On the contrary, every contact with representatives of AVAST has been denied, our calls are being blocked and not returned. This could also very well be proven, email us if you wish more information!
    - As for the lawsuit, make no doubt that we are looking into our options here. But since this company has wisely chosen an Eastern European State to be registered this could prove rather cumbersome. If this Article was printed by a Company from an older EU Member State, with established Democracy and Legal System, we can assure you that not only was this probably never going to happen in the first place (due to the fact that we were never contacted for reference), but this company will pretty soon be out of business.
    - Mr. Chiang, if protecting your interest against false accusations equals direct admitting of the claims and same accusations in your culture/country of origin, than I can only feel sorry for you.

    Nothing more to be added here.

  18. igor
    March 25th, 2011 at 16:47 | #18

    Hide that we are affiliate to AVAST? Doesn’t make any sense really

    Obviously, I meant your contact details.
    But if you call the current contacts “easily accessible”… well, I don’t want to imagine what you might call “hard to find”.

    But since this company has wisely chosen an Eastern European State to be registered…

    Yes, that was for sure incredibly wise and sneaky – provided the company was founded in Czech Republic some 23 years ago, and is located there (with Czech employees) ever since…

  19. March 25th, 2011 at 18:40 | #19

    But since this company has wisely chosen an Eastern European State to be registered this could prove rather cumbersome. If this Article was printed by a Company from an older EU Member State, with established Democracy and Legal System

    One really must laugh at such blatantly bigoted comments suggesting that Central/Eastern Europe are somehow inferior to wherever YOU are.

    According to the AV-Comparatives 2011 Security Survey, 5 of the top 7 choices for products to test/review are companies in Central/Eastern Europe.

    This company is rooted where it began — in a geographic and cultural region of hard-working and highly innovative people with integrity, who have made their mark in various fields/professions all over the world (read some history).

    And because of that integrity, and because of the business AVAST is in, the company cannot be bullied.

    Sincerely,
    an American AVAST employee in Prague

  20. Ivan
    March 26th, 2011 at 20:31 | #20

    I must say that as a bystander there is something fishy about this original post.
    You put the post around an unofficial file from the Internet and never said that it is not from the market, without any evidence that the dev submitted it in the first place?
    I got the original file from the market and there was no such code inside, I also found the email contacts within the application. It is obvious that you are misinforming.
    If their only business is selling apps and then they have their contacts inside their apps, why would I look for their contacts in some whois pages on websites instead of the apps ?
    I am personally offended by your comments about east european names. I have such name and happen to live in Germany, so I am a criminal? The dev is right, in Germany you will not get away with such post like that based on disinformation, you will get sued and you will loose.

    It will be nice to hear why you posted this in the first place if you are not reviewing something official?

  21. Sacha
    March 27th, 2011 at 11:17 | #21

    Avast screwed up on this post. The technical findings are correct but are evidently NOT the work of the Market registered developer. The app was pirated, an unfortunately all too frequent occurence with Android apps. Avast deserves credit for identifying a pirated app but owes an apology to the devs.

  22. March 27th, 2011 at 12:05 | #22

    I am personally offended by your comments about east european names. I have such name and happen to live in Germany, so I am a criminal?

    @Ivan, as the original post makes no disparaging comments about Eastern European names, it is unclear who you are addressing in your comment. The original post says this:

    …some red-flags: semi-anonymous, no email contact, possibly eastern-european but registered in Germany, and registered through Tucows. While there are many legitimate reasons for these attributes, unfortunately it also fits the profile of bad-guy registrations.

    That says NOTHING negative about Eastern Europe — or any names from the region (note that AVAST is based in Prague and the author of the post has a Slavic name). What it does offer, however, is some healthy skepticism… and raises a good question as to what degree of transparency legitimate companies should operate with, in order to remain above suspicion.

    Any security company that takes its tasks seriously cannot be friends with all developers. Likewise, if a tech journalist writes somewhere to “be careful where you get your antivirus software,” it is worthy advice.

  23. igor
    March 27th, 2011 at 13:08 | #23

    Sacha :
    Avast screwed up on this post. The technical findings are correct but are evidently NOT the work of the Market registered developer.

    The post doesn’t say it is the work of the original developer, does it?
    Regarding the “evidently”, however – where is your evidence?

  24. Sacha
    March 27th, 2011 at 14:06 | #24

    The post certainly passes judgement and strongly insinuates guilt. Guilty until proven innocent seems to Avast’s take on this.

  25. Ivan
    March 27th, 2011 at 19:56 | #25

    @Jason
    You are either blind or think we are blind, you quote and then turn the quote around:
    “possibly eastern-european but registered in Germany…profile of bad-guy registrations”

    He is making judgements based on names and countries, total racism!!!
    I checked the whois and the name seems slavic, but there is a telephone number and Domain Factory contacts. I also happen to own a domainfactory domain, so I guess I also file under the bad guy category according to Avast. Rubbish!
    I see this post in two ways, either the author got burned and had to pay some $ for SMS, but this is his own fault, because he was downloading illegal apps.
    Or, like the dev suggested, Avast is developing anti piracy apps for Android. If neither of the two are true then I would like an Avast official to come here and write that Avast is not developing software for Android and is not planning on it.

    @Igor
    This post doesn’t, but the original did, the dev quoted the original part where they say the official app is also stealing information.
    I think Avast has to apologize!

  26. igor
    March 28th, 2011 at 00:11 | #26

    No, it’s not judgements – it’s just small hints, and matching the patterns you see to those patterns you encounter (in the world of malware) on a daily basis. If you happened to be in the security industry, you wouldn’t be surprised – it’s those small pieces of information you feed into the “heuristics” to get the overall level of suspiciousness.

    The words “possibly eastern-european but registered in Germany” mean that it’s a bit strange that the guessed (yes, it’s just a guess, you can hardly say much just by the name) origin seems to be different from the registration country. Sure, it doesn’t mean anything per se – and the post doesn’t say it does, even though you’re saying otherwise – and if there wasn’t anything else, it would be closed as irrelevant (since it’s only a guess, it could be wrong anyway). Here, it just slightly increases the suspiciousness of the other things – such as the target URL accepting the submitted personal data without giving 404; and yes, I find it very strange that there’s no e-mail contact anywhere on the company “web” or on the market; why should I have to install, or maybe even buy, the application – just to get the e-mail contact? (If I were even more paranoid, I’d say it seemed like somebody wanted me to install the app first… to send my data somewhere maybe?).

    Pages of replies written here, but is there anything like “our contact address is support@incorporateapps” there? [I just made that one up, I don't know if it works] No, only repeating “our contacts are everywhere”… strange again. OK, could be some kind of corporate policy not to reveal the e-mail… but personally, if I came across such a product/company, without any contacts on web – I certainly wouldn’t send my money there (or install the app), even if that app was exactly what I had been looking for; I’d simply find it suspicous. Sure, that’s just my personal feeling… trying to be careful on today’s internet.

    This blog is related to an antivirus company – it talks about dangers on the internet and elsewhere (so no, avast! is certainly not developing an anti-piracy app for Android). If the file is “official” or not – it doesn’t really matter (I mean – regarding whether it should be written about or not; I’m not saying apps should be pirated), the important thing is that it’s out there, between the users – even if pirates. Many malware infections in the Windows world may be spreading because of pirated copies of Windows with automatic updates disabled – but it doesn’t mean these threats should be ignored, those infected machines endanger all the other ones as well.

  27. William
    March 28th, 2011 at 05:08 | #27

    Can Avast provide an MD5 or SHA-1 signature for the infected APK file ?

  28. WLee
    March 28th, 2011 at 07:42 | #28

    First Avast insists that they downloaded the app from the Android market… until the post is changed and they admit they didn’t. They first insist that the dev is guilty… until they back off just enough to still insist the whole thing is suspect. All of this based on circumstantial “not quite” evidence which is now being spun as some kind of heuristic analysis technique. Not very impressive.

  29. March 28th, 2011 at 13:33 | #29

    We never ever written this bad app is from market. Never.

  30. March 28th, 2011 at 14:58 | #30

    @Kubec

    Once again a total lie and not only can you not hide this lie, you are reproducing it in this article:
    “This is just an example of the dangers inherent in the open Android application marketplace”
    To underline what you said, “This is a problem” of the ANDROID MARKETPLACE! You once again, between the lines, insinuate that the file is from the Marketplace. How is this a problem of the Marketplace when you download the file from a torrent/forum whatever (we still wait for the Name of the colleague and website you downloaded the file to be revealed)
    Not only are you downloading illegal software for free (is this not a crime in Czech Republic? I think so), but also stating that “the company is – stealing personal information and taking our money” quote from your original article.

    @Igor
    Thank you for revealing your identity as an Avast employee, this makes so much more sense now.
    You once again failed to understand what @Sacha is saying – guilty until proven innocent.

    Please remove the email from your comment!!! I understand your goal is to send spam to us and once again, this email is exactly our support email, quite a coincidence that you just “made it up” although it is all over our market apps.
    And just for your information:
    80% of all the Android/Iphone etc Market Apps do not even have a website, even on the featured list! And once again, even though you play the innocent part here, all those Apps have an email in their descriptions, YOU DO NOT HAVE TO DOWNLOAD THOSE APPS – it is right there on the MOBILE (not WEBSITE based) Market. Once again Avast fails to open the original Android Market Place to look for the contacts of the App, but looks in all the impossible places,a normal user should never even need to, if they look for the App on the Market.

    I thank all the commenters for their support. You can help us by writing to Avast directly and demand that this article be taken down from the Internet. If they do not listen to their own customers then I don’t know who will they listen to…

  31. igor
    March 28th, 2011 at 15:22 | #31

    - I don’t care about sending you anything, and spam even less. If you check the post again, you’ll find out that I omitted the tail on purpose.
    - I’ve never seen any single one of your apps, so yes, I just made that mail up; it wasn’t THAT hard a guess, was it?
    - I’ve never said you’re guilty. But if you want my PERSONAL opinion – I don’t believe all that was just a coincidence. But I certainly might have an elevated risk perception, compared to ordinary users.

    As for the mail – OK, could be, I only checked the ordinary website (and it’s possible that the malware analysts did too, I have no idea). But I still find it strange – if the website exists. I suppose our definitions of a “normal user” are slightly different (as I’m certainly oriented towards the usual wintel platform).

  32. March 28th, 2011 at 15:40 | #32

    We talked about “open Android marketplace”. Not about “Android Market”. Two completely different things.
    Android has ‘open marketplace’, it allows you to install any app from anywhere. This is a contrast to closed iTunes Apple approach.

    Being it just the app, which sends ‘funny sms’, it’d not let us to write anything. But the fact that it was sending info to your website where was something receiving the data…

  33. J. Nousse
    March 28th, 2011 at 16:15 | #33

    It is shameful that Avast refuses to come clean on this. They have been wrong from the beginning, have edited their blog post to try and catch up, and have been extremely fast and loose with the absolute truth since the first day. Shameful behaviour it must be said.

  34. William
    March 28th, 2011 at 16:57 | #34

    @Jindřich: Earlier versions of this post (before editing) indeed stated that the Android Market was the source of the app (This is why I requested a MD5/SHA-1 sig). In fact, earlier versions of this post said many things that are now re-stated otherwise.

    Not only does Avast refuse to back down, Avast is taking the high road as “security professionals” and flatly stating that their perception what decides things here as opposed to all the evidence that Avast simply jumped the gun.

    Too much back tracking and not enough “hey guys, sorry, we screzed up”.

  35. March 28th, 2011 at 17:29 | #35

    I have the original text here:
    First sentence is talking about “3rd-party application stores”. Then it describes the bad app. Then it says “it tried to look like legitimate application (in this case Walk and Text)”.

    If anybody reads that that we are talking about the _original_ _market_ app Walk and Text, then they are simply wrong.

    And we’ve seen nothing close to “evidence”. Just rants, and only rants from few ips (fewer than names, obviously ).

  36. William
    March 28th, 2011 at 17:30 | #36

    Avast: What is the MD5 and/or SHA-1 sig of the .APK file in question? This would allow users to rely on hard facts rather than your security professional’s perception of what is important. Please respond.

  37. William
    March 28th, 2011 at 18:48 | #37

    We have seen no “evidence” either. Only a constantly changing one-and-only blog post by a “Junior malware analyst” who obviously jumped the gun. How about a hash sig for some (finally) real evidence?

  38. March 28th, 2011 at 19:56 | #38

    What we wanted to state, we stated. There was only one major edit to get it clearer. No ‘constant changes’, but one major edit.

    We have nothing else to say:
    1) this is about malware found in the torrents, not on Andoid Market
    2) we don’t know who wrote it, but have our suspicions
    3) it sends data to the ‘official’ website which accepted data (no 404)
    4) offical developer has no email contact information in _usual_ places, so we didn’t spend much time on contacting him.

    If you want the file, go and find it. I just don’t think I want to spend my time with the same rants again and again, because it doesn’t help anything.

  39. March 28th, 2011 at 20:20 | #39

    @Jindřich Kubec
    I think by insinuating again: ” Just rants, and only rants from few ips (fewer than names, obviously).” that the comments are not coming from “real people and commenters” shows what the real essence of you and your company is(you being one of the leading figures in that company). I know that, because I am the one whose calls are being blocked!

    We have absolute no idea who those readers are and you can bet that my word is worth more than the Net of your entire company, but we wholeheartedly thank those obviously smart people that have commented here to back us up in what is obviously (by anyone outside of Avast) an Ad campaign for a coming product on the Android Market.

    If you do have the original text, then please quote the passage about us “taking money from customers and then sending personal information to our servers” . Our App doesn’t even ask for the INTERNET permission, how is it going to do that? As for the 404 Page, I read that you are in the software development for 15 years, so I guess you should by now know that 404 pages are not always shown especially if the site owner doesn’t want them to be shown even if you did ever visit that page as you are suggesting.

    “4) offical developer has no email contact information in _usual_ places, so we didn’t spend much time on contacting him.”
    Quote from the article:
    “So we then try to find out who IncorporateApps is and to contact them.”

    Hm I wonder how much contradiction can one person put into two sentence to see that he is obviously lying about trying to contact us.

    And once again, if you do not use ILLEGAL material for your story, maybe, just maybe you would’ve found a way to contact us, like about thousand people have done so far (look at the download rates of the Apps)

    It is still unbelievable how you can even have the nerve to justify yourself after writing such false article on the Internet based on “suspicions” and not “facts”.
    And it is also very “suspicious” that you can put your “suspicions” on an official Avast blog page and nobody from your company cares to investigate on the matter.

  40. March 28th, 2011 at 20:28 | #40

    And just to finish it off – Android is as safe as an iPhone or a Blackberry, I know that companies like Avast would like us to believe they aren’t but they are!

    If you play with the fire, explicitly allow apps from unnamed sources and click ok on the disclaimer (under settings) go and download files from torrents, do not check the permissions of those Apps, further more engage in illegal activities then I guess there is nothing you can complain about?

    This is the same as writing an Article about buying a fake iPhone and getting it back to Apple for repair once it malfunctions?
    How about writing an article next time about a jailbroken iPhone that sends personal information, because somebody forgot to change their ssh passwords?

    I am also to hear from you that you are not developing an Android Anti Piracy App?

  41. William
    March 28th, 2011 at 20:37 | #41

    Rants? The only rant, which is not very clear and often changed, is coming from Avast. No hash sig to offer? Seems like a reasonable request but I’ll take your refusal as evidence that the file might not even exist.

  42. William
    March 28th, 2011 at 20:52 | #42

    This text has since been deleted:

    “But is the victim of this kind of application really stupid? Sometimes to
    distinguish between legitimate and malicious applications on Android can be
    real analyst work. It is also one of the reasons why Android attracts so
    many cybercriminals these days and why the official Android Market is not
    the entirely safe territory as many people have thought.”

    What is the point of mentioning the safety of the “official Android Market” if you are dealing with a torrent file? (perhaps a non-existant one since you won’t even cough up a hash sig)

  43. March 28th, 2011 at 21:07 | #43

    Your first point:
    William william.hill@*.com 86.69.86.53
    Sacha sacha.blow@*.com 86.69.86.53
    Oh, yes, you know nothing about it and they’re just people which defend you…

    Your wat.php, the collector of the info from the ‘fake app’ did not return 404. We don’t use browsers for verifying such things, so we don’t need error page to know the http status code. Also, the german server you host on returns fancy green german text

    Point 4: This is not a contradiction. We checked the usual places, found no email contacts. Done. I call this “try to contact them”. This is the exact “thoroughness” it needed.

    The talk about ILLEGAL is complete nonsense. All the stuff we deal with is ‘ILLEGAL’ in any sense.

    There is a huge distinction between jailbroken iPhone and standard Android phone. The fact that you can freely install anything on Android is simply much more problematics from the security standpoint. And, there were malware applications on the Android Market recently, and, no, nobody reads the activities, because there was about 280.000 downloads of such apps on Market.

    Our message was – be beware what you download on your Android phone. And we used the sample which was not described on other blogs – and there were multiple blogs on similar themes in past few weeks out there.

    So yes, everything you say is rants without substance.
    You are looking for completely unimportant things trying to downplay the facts.

    That there is a application out there which punishes users which want pirated version of your app, which sends data to your server, which collected it, which contains same graphics, same resources as the original package (easy to steal, I admit) and which also contains links to the market when the person can buy it.
    “We really hope you learned something from this. Check your phone bill;) Oh and dont forget to buy the App from the Market”.
    Yes, now you’ll say you know nothing about it and the page did not exist. Done. No need to continue then in this endless, nonproductive and repetitive talk.

  44. March 29th, 2011 at 00:40 | #44

    No I will not say anything because I will have to repeat myself.

    I will just add this: It is very unfortunate that you feel the need to reveal users’ IP addresses to prove something and still fail to do anything but compromise yourself. This is not only sad, this is disturbing and once again I leave it to the people out there to figure the person doing it out.

    Even if I was a magician I don’t have the chance to go to France and comment from there and get back in the next 5 minutes and comment from the german IP ( I am sure you checked if the IPs were from proxies and I am sure you can check my ip also…) And no I do not know anyone from France and this is also a fact.
    If this person is willing, I suggest they even share their identity, id or something, here so they can prove you, once again wrong for making false assumptions based on “suspicions”.

    It is very sad, that even though a man of age, you failed to learn anything from life. It is also sad that such person, with such a low moral, equal to his low education, is more or less responsible for a software that is to protect personal computers. I feel sorry for those users already.
    I hope that your company will thank you for this post once the lawsuit has been filed.

  45. Sean Kelly
    March 29th, 2011 at 07:54 | #45

    Avast now revealng IP addresses of those that disagree? Unprofessional at best, gangster-like at worst. I expected better. Fail.

  46. Petr Bucek
    March 29th, 2011 at 09:05 | #46

    Dear incorporateapps,

    I have to add some point of avast support view to this discussion.

    As Igor wrote Android and Windows worlds are different. I had also tried to contact you and find some information on the web and it was impossible. I am sorry if Android companies do not have websites, I did not know that. Why you cannot realize that we are company involved mostly in Windows/linux world and that you read a blog entry from virus lab section ( http://blog.avast.com/category/viruslab/ ), which describes a malware behaviour. No one wrote about an infection in your application on the market. That´s the main point and the rest is just irrational never ending discussion.

    Also it´s not a true that we are blocking your calls, so do not say so. We have no reason to do it. You called us last week and wanted to transfer the call to the person who was not at his office (most probably Jindřich Kubec or our CEO) and you were connected with my collegue (David if you remember). Please understand that people from upper management are not always available. You might also called us during weekend and did not reach us – that´s what I do not know. We are ready to answer your calls unless you start to insult us in uneducated way.

    From my experience the discussion finishes when one of sides starts to use either completely irrelevant arguments or starts to be impolite. I worry that you have done both.

    Petr Bucek

  47. March 29th, 2011 at 09:50 | #47

    Georgi and others, I am the CEO at Avast. I have been following this thread and wondering if anything substantive would be added to the discussion. But unfortunately, nothing has been. Instead, I am seeing our firm and employees being called liars, morons, and racists. We are being accused of trying to plant fear in the Android market, publicizing this because of an upcoming product, and we have even been accused by you Georgi, of actually planting this bad/pirated application.

    It am also pretty convinced that the commenters here are associates of some sort. I am not even sure they are real people. Most comments are coming from gmail accounts. Gmail is a great service and it is also quite anonymous compared to other email systems. I do not think that there is another thread on here where virtually all of the negative commenters have gmail accounts. There is one exception with a hotmail email. But even it is strange as it comes from the same French ip address as one of the gmail commenters but the hotmail address actually belongs to a fireman in the UK. As was also pointed out, it seems that there are multiple emails coming from the same ip address.

    When I do internet searches on the gmail addresses, there are no hits. Maybe all of the commenters are extremely private and have never established a facebook (or other social networking account) and have never, ever used their email address publicly. They must have been so upset at the injustice done here that they have spontaneously decided to post comments. Or maybe the email addresses were just created for this purpose….maybe they are not even real.

    Ridiculous “Facts” are also being created instead of the main issue being addressed. For example, your claim that 80% of Android application developers do not have websites or post a web email address is absurd. I randomly checked 8 of the Android featured applications–7 had real websites with content and contact information; one had a facebook page. Your website was the only one I saw in my quick look that had a stub page and no contact information.

    We are not ignoring you. You had a long private call with our CTO. You have had numerous postings we have replied to. All of our email addresses are very well known and you could easily send me an email if you wish.

    We are now closing this thread. If you would like to answer the substantive issues that Jindra and others have listed, feel free to email me directly.

    Regards,

    Vince

Comments are closed.