Even though malicious malware which somehow manage to go around the Google Bouncer and become available in Google Play Store isn’t something new, it is still surprising when such apps infect millions of users without being flagged.
This is the exact case with the two newly-found malevolent Android apps, CallJam and DressCode, which appeared in the official Google Store. By the time it was discovered the CallJam had been installed on 100,000 to 500,000 devices, and the DressCode was detected in 40 apps in the Store, also with 100,000 and 500,000 installs. The number of infected users came to a total of 2.5 million.
The CallJam malware includes a premium dialer, allowing it to make fraudulent phone calls, as well as a rough adnet designed to show ads to the targeted users. The malware was hidden in the “Gems Chest for Clash Royale” game since May. For that time it managed to infect approximately half a million users and Google wasn’t aware of this issue until this week, Check Point experts announced.
CallJam, after installed, asks for permission before starting making phone calls but most of the users just grant this permission thinking it is a part of the game and without bothering to read all the information about what they are agreeing to.
The malware`s C&C provides the targeted premium phone number and info about the length of the call and, based on these parameters, CallJam generates a call. However, this is not all. The malware is also able to redirect users to malevolent webpages and display its malicious ads on them instead of the phone itself, thus generating additional fraudulent revenue.
“Since it deceives the users as part of its activity, the game has been able to achieve a relatively high rating. Users are asked to rate the game before it initiates under the false pretense that they will receive additional game currency. This is another reminder that attackers can develop high-reputation apps and distribute them on official app stores, putting devices and sensitive data at risk.” – researchers say.
On the other hand, the DressCode malware acts in a completely different way. It creates a botnet of infected phones, most probably to generate false traffic and ad clicks. Moreover, except from these 40 apps in the official Google Play Store which have the malicious code, it was also found by researchers on another 400 apps available to third-party application stores.
By the time these 40 Google Play apps were discovered, some of them were available since April, the number of infected users was already between 500,000 and 2 million. Check Point reports that after being notified of the problem Google has removed some of the infected apps.
Once installed on the device DressCode establishes a connection with the C&C server, which, until now, was detected giving the malware only one order – to sleep. Researchers assume that the crooks want to widen their botnet before starting to use the malware by turning infected devices into socks proxies and rerouting traffic through them. Experts also add that DressCode resembled the Viking Horde malware, uncovered earlier this year. The created botnet can be used for various purposes, even to infiltrate internal networks.
“Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations.”– Check Point notes.