Mobile threat research team ‘Check Point’ identified a new variant of Android Malware, that sends fraudulent premium SMS messages and charges user accounts for fake services without their knowledge. The malware had infected at least 50 apps, downloaded be
Mobile threat research team ‘Check Point’ identified a new variant of Android Malware, that sends fraudulent premium SMS messages and charges user accounts for fake services without their knowledge. The malware had infected at least 50 apps, downloaded between 1 million and 4.2 million times before the apps were removed from ‘Google Play.' The malware ‘ExpensiveWall’ is designed to generate profit from its victims by registering to premier services without their knowledge, sending fraudulent premium SMS messages and charging them for fake services. Once it is downloaded, it requests permissions for SMS and internet access, which allows the apps to connect to its C&C (Command and Control) server and enable it to send premium messages and register users to paid services without their knowledge. ‘ExpensiveWall’ contains an interface connecting JavaScript code and in-app actions, which runs on a web interface known as ‘WebView.' After it is installed and granted permissions, ‘ExpensiveWall’ sends data to its C&C server regarding location, IMEI, IMSI and MAC & IP addresses. Every time the apps sense a connectivity change, they receive a URL which contains a malicious JavaScript code that uses JavaScriptInterface to initiate in-app functions. The malware initiates JavaScript code by remotely clicking on links in the URL similar to ad clicks in other scenarios. The malware could be easily modified to capture pictures, record audios and hack sensitive data. As the malware operates silently, the infected devices could act as spying tools on the victims. ‘Expensive wall’ is a new variant of malware discovered earlier on Google Play, taking the total downloads between 5.9 million to 21.1 million. The difference that sets ‘Expensive Wall’ apart is that it is ‘packed,' allowing it to evade Google Play’s built-in anti-malware protections. The research team notified Google about the malware on the 7th of August 2017. Google promptly removed the reported apps from the store. After the apps were removed, another sample infiltrated Google Play affecting over 5000 devices. These were removed four days later. Malware such as ‘ExpensiveWall’ requires advanced protections, capable of identifying and blocking malware using static and dynamic app analysis. Users are advised to use the best Cybersecurity solutions to protect themselves from such malware.