ExpensiveWall malware running big bills for Android users

Millions of Android devices affected, Google purges apps

Google has been forced to remove around 50 apps from its Google Play store after it was found that these apps contained malware used to run up big bills for unsuspecting victims.

The malware, discovered and dubbed ExpensiveWall, by Check Point Software, sends fraudulent premium SMS messages for fake fee-based services without the knowledge or permission of users.

Advertisement - Article continues below

Check Point's researchers said that this particular malware could have been downloaded up to 4.2 million times before the apps were removed.

Researchers Elena Root, Andrey Polkovnichenko & Bohdan Melnykov, said the malware was found mainly in an Android wallpaper app Lovely Wallpaper.

"ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times," said researchers.

The malware differs from previous strains in that it is packed' an advanced obfuscation technique used by malware developers to encrypt malicious code allowing it to evade Google Play's built-in anti-malware protections.

Researchers notified Google with the search firm pulling the apps on 7 August. But within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

Check Point warned that any infected app installed before it was removed from the App store, still remains installed on users' devices.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Users who downloaded these apps are therefore still at risk and should manually remove them from their devices," Check Point said.

According to researchers, the malware it requests several common permissions, including internet access which allows the app to connect to its C&C server and SMS permissions which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

"ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI," said researchers.

Researchers believe ExpensiveWall is spread to different apps as an SDK called "gtk", which developers embed in their own apps. 

Advertisement - Article continues below

Javvad Malik, security advocate at AlienVault, said that with so much money being flushed into mobile phones and the technology that surrounds them, it's no surprise criminals are targeting their malware efforts in this direction.

"App store operators like Google, need to be on their toes as mobile phones have become irreplaceable due to their high functionalities. Because of the increased level of sophistication shown by today's cyber attackers, app stores need to constantly seek out new and improved ways to step up their security efforts. They also need to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly," he said.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020