ExpensiveWall malware running big bills for Android users

Google has been forced to remove around 50 apps from its Google Play store after it was found that these apps contained malware used to run up big bills for unsuspecting victims.

The malware, discovered and dubbed ExpensiveWall, by Check Point Software, sends fraudulent premium SMS messages for fake fee-based services without the knowledge or permission of users.

Check Point's researchers said that this particular malware could have been downloaded up to 4.2 million times before the apps were removed.

Researchers Elena Root, Andrey Polkovnichenko & Bohdan Melnykov, said the malware was found mainly in an Android wallpaper app Lovely Wallpaper.

"ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times," said researchers.

The malware differs from previous strains in that it is packed' an advanced obfuscation technique used by malware developers to encrypt malicious code allowing it to evade Google Play's built-in anti-malware protections.

Researchers notified Google with the search firm pulling the apps on 7 August. But within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

Check Point warned that any infected app installed before it was removed from the App store, still remains installed on users' devices.

"Users who downloaded these apps are therefore still at risk and should manually remove them from their devices," Check Point said.

According to researchers, the malware it requests several common permissions, including internet access which allows the app to connect to its C&C server and SMS permissions which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

"ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI," said researchers.

Researchers believe ExpensiveWall is spread to different apps as an SDK called "gtk", which developers embed in their own apps.

Javvad Malik, security advocate at AlienVault, said that with so much money being flushed into mobile phones and the technology that surrounds them, it's no surprise criminals are targeting their malware efforts in this direction.

"App store operators like Google, need to be on their toes as mobile phones have become irreplaceable due to their high functionalities. Because of the increased level of sophistication shown by today's cyber attackers, app stores need to constantly seek out new and improved ways to step up their security efforts. They also need to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly," he said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.