ExpensiveWall malware running big bills for Android users

Millions of Android devices affected, Google purges apps

Google has been forced to remove around 50 apps from its Google Play store after it was found that these apps contained malware used to run up big bills for unsuspecting victims.

The malware, discovered and dubbed ExpensiveWall, by Check Point Software, sends fraudulent premium SMS messages for fake fee-based services without the knowledge or permission of users.

Check Point's researchers said that this particular malware could have been downloaded up to 4.2 million times before the apps were removed.

Researchers Elena Root, Andrey Polkovnichenko & Bohdan Melnykov, said the malware was found mainly in an Android wallpaper app Lovely Wallpaper.

"ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times," said researchers.

The malware differs from previous strains in that it is packed' an advanced obfuscation technique used by malware developers to encrypt malicious code allowing it to evade Google Play's built-in anti-malware protections.

Researchers notified Google with the search firm pulling the apps on 7 August. But within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

Check Point warned that any infected app installed before it was removed from the App store, still remains installed on users' devices.

"Users who downloaded these apps are therefore still at risk and should manually remove them from their devices," Check Point said.

According to researchers, the malware it requests several common permissions, including internet access which allows the app to connect to its C&C server and SMS permissions which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

"ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI," said researchers.

Researchers believe ExpensiveWall is spread to different apps as an SDK called "gtk", which developers embed in their own apps. 

Javvad Malik, security advocate at AlienVault, said that with so much money being flushed into mobile phones and the technology that surrounds them, it's no surprise criminals are targeting their malware efforts in this direction.

"App store operators like Google, need to be on their toes as mobile phones have become irreplaceable due to their high functionalities. Because of the increased level of sophistication shown by today's cyber attackers, app stores need to constantly seek out new and improved ways to step up their security efforts. They also need to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly," he said.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Qualcomm modem flaw puts millions of Android users at risk
Google Android

Qualcomm modem flaw puts millions of Android users at risk

6 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
How to unroot Android
Google Android

How to unroot Android

26 Mar 2021
Google’s about to push everyone into two-factor authentication
Security

Google’s about to push everyone into two-factor authentication

6 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021