Japanese animation is known as anime and Japanese comics are known as Manga. In the last two decades, these industries have grown in popularity across the world. People know that cashing in on the latest trend is often an easy way to earn money, and many legal and illegal businesses often take advantage of this. The popularity of anime and manga has opened up a new avenue for cybercriminals to push malware threats onto unsuspecting fans through malvertisements and mobile risks.

During the early 90’s Japanese comics experienced a boom in the US market and earned their place on the shelves of major book sellers. Before these books can be read by fans who do not speak Japanese, they must be translated. The number of manga being officially translated is growing, but this doesn’t seem to be enough to keep fans satisfied. In addition, only the more popular titles are candidates for translation.

One problem the manga industry faces is how to choose the comics that will be appreciated by non-Japanese speaking fans. One indicator that proves to be very useful is reader communities. Some of these communities work together to produce translated scans of Japanese manga, known as scanlation (or scanslation).

Official editors monitored these communities and orientated their business accordingly; unfortunately it backfired. The Japanese comics and anime industry began to lose customers due to growing number of people accessing the Internet in the late 90’s and the rise of giant scanlation sites providing free online manga content.

In the last few years lawsuits have been launched against websites and communities offering scanlation services, as it is a violation of copyright if the holder hasn’t given their permission.

Scanlation involves a lot of work and a scanlating team can include the following members:

Translator

Cleaner

Proofer

Typesetter

Re-drawer

Team members are mostly volunteers, so in order to keep the publication of new material coming out at regular intervals, some form of monetization is needed and advertisements are often a key source of income.

Exploit kits and malvertisement

These sites show up to ten advertisements on a chapter’s page on average, and in some cases they are using eleven ad providers. Recent investigations around malvertisements, exploit kits, and the recently rolled out Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) led us to observe a number of scanlation sites linked to malicious redirections by malvertisement and malicious code. The chart shown in Figure 1 provides an overview of the different malware detections observed from July 2013 through early January 2014.

Figure 1. IPS detections from scanlation domains (July 2013 – January 2014)

With the roll out of CVE-2013-2551 in December 2013 and the shutdown of the Blackhole exploit kit, the trend has changed. We are observing more malvertisement type attacks that are mainly pushing out Trojan.FakeAV. In these recent malvertisement cases, the scanlation websites were not directly compromised with malicious code, it was their ad providers. The users of scanlation websites also become victims in these cases because of the heavy use of ads targeted at them on the websites. Figure 2 shows IPS detections from Scanlation domains observed from October 2013 to early January 2014.

Figure 2. IPS detections from scanlation domains (October 2013 - January 2014)

An evolving reading format

As smartphones and tablets have become a more integral part ofpeople’s lives, less are using their computers or actual books. A vast majority of websites have released mobile versions of their content to make mobile access easier.



We conducted a mobile browsing test and observed how readers were redirected while reading random pages of recently released manga. We saw that users sometimes encountered a forced redirection when trying to go to the next page. The redirection led to a download prompt for an APK file. We categorized this Android application, Airpush Adware, as a security risk. Airpush Adware can collect and send out the user’s phone number, email address, and a list of applications to third parties, which could lead to the user receiving spam through email and SMS.

Figure 3. Airpush privacy policy and advertising terms

A large number of mobile applications that collect manga from different scanlation domains have begun to appear. These apps can offer over 10,000 manga in multiple languages that users can read online and off. With high download and installation rates, these applications are ideal targets for malicious piggybacking and Trojanized readers. As an example, we found one application, distributed on third party markets that offered manga reading services, delivering premium SMS. Symantec detects this threat as Android.Opfake.

A growing global enthusiasm for scanlating

The detection data gathered from July 2013 through January 2014 on these scanlation domains shows regular spikes and that can easily be tied to the release of popular manga chapters for Naruto, Bleach, One Piece, Fairy Tail, and Kingdom.

A heatmap of the malvertisements seen on scanlation websites confirms that the highest readership is in the United States, followed by Europe, and Australia. Manga readership is also present in the Middle East and Brazil. Currently, the scanlation teams appear to be translating manga into six different languages (English, German, Italian, Spanish, Russian, and French).

Figure 4. IPS detections for Scanlation domains and malvertising (July 2013 – January 2014)

With a large variety of manga available, the vast amount of new comics can make the medium difficult to access unless the reader understands Japanese or waits for official editors to provide a translated version.

Because new mangaka (manga authors) need to earn their popularity with fans, they often allow, or turn a blind eye to, scanlation services. As such, the functional structure of scanlation services closely flirts with legal issues and copyright abuse. Unfortunately, the growing popularity of scanlation services has caused it to attract cybercriminal attention.

Symantec Security Response advises users to keep their software up-to-date to limit the successful exploit of vulnerabilities and not to install applications outside of trusted app stores.