Over the last couple of days, the Juniper Global Threat Center has been analyzing and tracking more pirated applications with malicious code tucked into them, called “Pirate Text”.  Just as has been the recent trend, we’re looking at one application that has been pirated from the Android Market and is being passed around 3rd party app stores and torrents, which are peer-to-peer, file sharing resources.

The main application we’re looking at is currently the 14th rated Android application by “101 Best Android Apps“.  What appears to have happened is the copyright holding developer, Incorporate Apps, published a new version (1.3.6) of the “Walk and Text” application to the Android Market.  Within two hours, the new version was pirated from the Market, taken apart, had the malicious code written into the application, was re-signed with a different key, then was being distributed as an even newer version in several torrents.

In one particular forum that was peddling the pirated application, we even saw the Incorporate Apps post a cease and desist in the thread and go after the forum’s moderator to remove the links to the mirrors that were hosting the pirated application. During our analysis, it was obvious that the links had been removed on that particular site, but we were still able to find copies of the original application and the new malicious application from other locations.

The version that was pirated from the Market was version 1.3.6.  The current Market version is 1.5.3.  The version that has the malicious code is version 1.3.7.  As far as we can tell, version 1.3.7 is not an official update to the legitimate application that was pushed out from Incorporate Apps.  It looks like version 1.3.7 that exists is actually version 1.3.6 with malicious code written in and was subsequently signed with a different self-signed certificate than the one used by Incorporate Apps.  This is a good indication that someone else repackaged this application because they did not have access to the legitimate certificate from the original developer.

The malicious “Walk and Text v1.3.7″ application appears to function normally to the user.  However, in the background it sends an SMS message to all of the device’s contacts with the following message:

“Hey, just downloaded a pirated App off the Internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck.Don\’t steal like I did!”

The certificate that was used to sign “Walk and Text v1.3.7″ is particularly interesting as well:

Here is an image of the certificate used to sign the legitimate application that we downloaded from the Android Market:

At this point, initial analysis indicates that the malicious “Walk and Text v1.3.7″ does not do anything other than send annoying SMS messages to the device’s contacts.  The nature of the SMS message that is sent would indicate that someone wanted to make a point that downloading pirated applications is unethical, but the method they used is just as unethical.

Over the past 3 months, it’s become painfully obvious that there is more danger in downloading applications from 3rd party locations than is caused by paying the nominal fee necessary to get legitimate versions legally.  For users who simply cannot force themselves to download applications from the official Android Market, new and legitimate app stores are popping up with the backing of legitimate business practices and promotions, like Amazon’s App Store for Android.

Though we believe the infection rate to be extremely low, Junos Pulse Mobile Security Suite users are already protected from the threat posed by “Walk and Text v1.3.7″ as of 3/29/2011.

Android users that are not protected by Junos Pulse Mobile Security Suite who have downloaded their version of “Walk and Text” from a 3rd party location, can check the version of their application by tapping Settings > Applications > Walk and Text.  If your version number is 1.3.7, it is highly recommended that the application be uninstalled:

Once the application has been removed, you can download and PAY for the legitimate application from the Android Market.  And, don’t forget to apologize to your friends for sending them the SMS message telling them that you were using a pirated application…