ExpensiveWall infects millions of Android devices using Google Play

by Lucia Danes - -

50 apps were removed from Google Play store because they were harboring ExpensiveWall – premium SMS malware.[1] The virus aims to send false premium SMS messages for fraudulent paid services without the victim’s knowledge or permission. The malware infected millions of Android devices (it was downloaded from 1 to 4.2 million times).


ExpesiveWall was mainly bundled in the app called Lovely Wallpaper, according to research.

The premium SMS malware is a new version of the malware detected earlier in 2017 on Google Play store. The whole malware family has infected millions of Android devices and has been downloaded from about 6 million to over 21 million times, according to researchers at Check Point.

The most recent malware strain separates itself from the entire malware family. The virus employs a progressive obfuscation technique known as “packed”. This technique allows malicious programs to be compressed, and it encodes them in order to remain secret.

Google found out about the infected apps on August 7, 2017 and immediately blocked them from its Google Play store. However, researchers reported that the malware reappeared on the store several days later on a new app of unknown identity. As a result, over 5,000 more devices downloaded the virus before it was removed.[2]

While the most recent infiltration influenced approximately 50 applications on Google Play, Google has been facing security issues with fraudulent apps for the whole year: in August, four messaging applications were deleted from the store because they contained SonicSly spyware; earlier, in May, a virus named Judy was detected in 40 apps and installed about 36 million times. Also, at least four separate malware attacks were detected on Google Play, including viruses called Dvmap, SMSVova, Ztorg and malicious iFrames.

When it comes to ExpensiveWall revenue, it is unknown how much profit was generated via the premium SMS malware, researchers reported.

ExpensiveWall works pretty simply – once it’s downloaded, it requests a few permissions from the device: internet access (it allows app to connect to its C&C server) and SMS permissions that register consumers for fee-based services and allow sending premium SMS without the victim’s knowledge. These permissions for a scam are not uncommon and also widely used by legitimated apps and thus, the malware sneaked through the Google Play security.

Check Point reported that “ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a Web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI”.

After a consumer switches connectivity settings on the device or turns it on, ExpensiveWall joins its C&C server and collects the URL address. The URL is exposed in an inserted WebView, which includes malicious code with the ability to invoke features inside the app, such as subscribing to paid services and sending SMS.

Researchers also warn developers that the ExpensiveWall malware is capable to potentially infect a range of apps via SDK, also known as GTK.

About the author

Lucia Danes
Lucia Danes - Malware and spyware analyst

Lucia Danes is a news editor at Reviewedbypro.com. She is extremely passionate when it comes to helping people deal with various online threats, so she wants her articles to be understood even by those with no IT background.

Contact Lucia Danes
About the company Esolutions


now online
Like us on Facebook