ExpensiveWall malware running big bills for Android users

Millions of Android devices affected, Google purges apps

Google has been forced to remove around 50 apps from its Google Play store after it was found that these apps contained malware used to run up big bills for unsuspecting victims.

The malware, discovered and dubbed ExpensiveWall, by Check Point Software, sends fraudulent premium SMS messages for fake fee-based services without the knowledge or permission of users.

Check Point's researchers said that this particular malware could have been downloaded up to 4.2 million times before the apps were removed.

Researchers Elena Root, Andrey Polkovnichenko & Bohdan Melnykov, said the malware was found mainly in an Android wallpaper app Lovely Wallpaper.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times," said researchers.

The malware differs from previous strains in that it is packed' an advanced obfuscation technique used by malware developers to encrypt malicious code allowing it to evade Google Play's built-in anti-malware protections.

Researchers notified Google with the search firm pulling the apps on 7 August. But within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

Check Point warned that any infected app installed before it was removed from the App store, still remains installed on users' devices.

"Users who downloaded these apps are therefore still at risk and should manually remove them from their devices," Check Point said.

According to researchers, the malware it requests several common permissions, including internet access which allows the app to connect to its C&C server and SMS permissions which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

Advertisement - Article continues below

"ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI," said researchers.

Researchers believe ExpensiveWall is spread to different apps as an SDK called "gtk", which developers embed in their own apps. 

Javvad Malik, security advocate at AlienVault, said that with so much money being flushed into mobile phones and the technology that surrounds them, it's no surprise criminals are targeting their malware efforts in this direction.

"App store operators like Google, need to be on their toes as mobile phones have become irreplaceable due to their high functionalities. Because of the increased level of sophistication shown by today's cyber attackers, app stores need to constantly seek out new and improved ways to step up their security efforts. They also need to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly," he said.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/mobile/23617/the-best-smartphones-to-buy
Mobile

Best smartphone 2019: Apple, Samsung and OnePlus duke it out

24 Dec 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020