50 apps were removed from Google Play store because they were harboring ExpensiveWall – premium SMS malware. The virus aims to send false premium SMS messages for fraudulent paid services without the victim’s knowledge or permission. The malware infected millions of Android devices (it was downloaded from 1 to 4.2 million times).
ExpesiveWall was mainly bundled in the app called Lovely Wallpaper, according to research.
The premium SMS malware is a new version of the malware detected earlier in 2017 on Google Play store. The whole malware family has infected millions of Android devices and has been downloaded from about 6 million to over 21 million times, according to researchers at Check Point.
The most recent malware strain separates itself from the entire malware family. The virus employs a progressive obfuscation technique known as “packed”. This technique allows malicious programs to be compressed, and it encodes them in order to remain secret.
Google found out about the infected apps on August 7, 2017 and immediately blocked them from its Google Play store. However, researchers reported that the malware reappeared on the store several days later on a new app of unknown identity. As a result, over 5,000 more devices downloaded the virus before it was removed.
While the most recent infiltration influenced approximately 50 applications on Google Play, Google has been facing security issues with fraudulent apps for the whole year: in August, four messaging applications were deleted from the store because they contained SonicSly spyware; earlier, in May, a virus named Judy was detected in 40 apps and installed about 36 million times. Also, at least four separate malware attacks were detected on Google Play, including viruses called Dvmap, SMSVova, Ztorg and malicious iFrames.
When it comes to ExpensiveWall revenue, it is unknown how much profit was generated via the premium SMS malware, researchers reported.
ExpensiveWall works pretty simply – once it’s downloaded, it requests a few permissions from the device: internet access (it allows app to connect to its C&C server) and SMS permissions that register consumers for fee-based services and allow sending premium SMS without the victim’s knowledge. These permissions for a scam are not uncommon and also widely used by legitimated apps and thus, the malware sneaked through the Google Play security.
After a consumer switches connectivity settings on the device or turns it on, ExpensiveWall joins its C&C server and collects the URL address. The URL is exposed in an inserted WebView, which includes malicious code with the ability to invoke features inside the app, such as subscribing to paid services and sending SMS.
Researchers also warn developers that the ExpensiveWall malware is capable to potentially infect a range of apps via SDK, also known as GTK.