Security experts have discovered premium SMS Android malware lurking in legitimate looking apps on Google Play, which have been downloaded over four million times.
Check Point’s Elena Root, Andrey Polkovnichenko and Bohdan Melnykov explained that the “ExpensiveWall” malware – named after one of the apps it hides in, "Lovely Wallpaper" – is a new variant of malicious code found earlier in the year.
Altogether, the malware family could have been downloaded over 21 million times.
Unlike the previously discovered version, this strain of malware uses so-called “packing”, an advanced obfuscation technique designed to bypass Google’s built-in security filters.
The aim of the game for the gang behind it is to make money by forcing victim devices to register with premium rate services and then send expensive SMS messages, often without the user’s knowledge.
“Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the user’s knowledge,” explained Check Point.
“While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play.”
Although the aim of this malware is to make as much money as possible off the back of premium rate SMS messages, it could be modified to steal sensitive data, capture pictures and record audio and send to the C&C server.
“Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool,” the vendor warned.
Google pulled the offending apps as soon as it was notified by Check Point, although another sample appeared soon after and managed to infect a further 5,000 devices before it was removed four days later.
Javvad Malik, security advocate at AlienVault, argued that ecosystem providers like Google need to be constantly on the lookout for new ways to defeat the cyber-criminals.
“They also need to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly,” he added.