ExpensiveWall malware running big bills for Android users

Millions of Android devices affected, Google purges apps

Google has been forced to remove around 50 apps from its Google Play store after it was found that these apps contained malware used to run up big bills for unsuspecting victims.

The malware, discovered and dubbed ExpensiveWall, by Check Point Software, sends fraudulent premium SMS messages for fake fee-based services without the knowledge or permission of users.

Check Point's researchers said that this particular malware could have been downloaded up to 4.2 million times before the apps were removed.

Researchers Elena Root, Andrey Polkovnichenko & Bohdan Melnykov, said the malware was found mainly in an Android wallpaper app Lovely Wallpaper.

"ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times," said researchers.

The malware differs from previous strains in that it is packed' an advanced obfuscation technique used by malware developers to encrypt malicious code allowing it to evade Google Play's built-in anti-malware protections.

Researchers notified Google with the search firm pulling the apps on 7 August. But within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

Check Point warned that any infected app installed before it was removed from the App store, still remains installed on users' devices.

"Users who downloaded these apps are therefore still at risk and should manually remove them from their devices," Check Point said.

According to researchers, the malware it requests several common permissions, including internet access which allows the app to connect to its C&C server and SMS permissions which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

"ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI," said researchers.

Researchers believe ExpensiveWall is spread to different apps as an SDK called "gtk", which developers embed in their own apps. 

Javvad Malik, security advocate at AlienVault, said that with so much money being flushed into mobile phones and the technology that surrounds them, it's no surprise criminals are targeting their malware efforts in this direction.

"App store operators like Google, need to be on their toes as mobile phones have become irreplaceable due to their high functionalities. Because of the increased level of sophistication shown by today's cyber attackers, app stores need to constantly seek out new and improved ways to step up their security efforts. They also need to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly," he said.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
CISA, FBI, and NSA issue a Conti ransomware advisory
ransomware

CISA, FBI, and NSA issue a Conti ransomware advisory

23 Sep 2021
Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Ransomware hackers break off from Babuk to join a new group
ransomware

Ransomware hackers break off from Babuk to join a new group

9 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021