Android/PBL.A is a application found in the official Google Play market that provides access to a phone book database in the Internet but, at the same time, it sends personal sensitive information to the same remote server. However, in the description of the app, the developer states that the address book and location information will be stored in a MySQL database.
When it is about to be installed, Android/PBL.A requires the following suspicious permissions: READ_CONTACTS, WRITE_CONTACTS, ACCESS_FINE_LOCATION and ACCESS_MOCK_LOCATION. Once it is executed, Android/PBL.A shows the following interface to the user that allows the search by any combination of name, address or phone number:
At the same time Android/PBL.A obtains the geographical location of the device and starts an execution thread that establishes a remote connection to a MySQL database in the host ata[sensored].jp. After that, the malware checks if the device is already registered in the remote database by checking the presence of its android_id (a unique 64-bit number that is randomly generated on the device's first boot and it is constant for the lifetime of the device) in the remote server. If the device is not present in the database, Android/PBL.A obtains and sends to a remote server sensitive information of the contacts stored in the device like phone number, name, ZIP code, country, address, e-mail along with the geographical location of the device and the android_id. That information is obtained and stored in the remote database in the background and without user's consent.