Security experts have found a new sms malware called ExpensiveWall. After discovering the infection, Google had to remove 50 malicious applications from its official Play Store.
The Check Point researchers found the ExpensiveWall malware in the Lovely Wallpaper application. The virus features a payload which registers victims for paid online services and sends them premium SMS messages from their devices.
The malicious code was found in 50 applications on the Google Play Store which were downloaded by between 1 million and 4.2 million users.
“Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge.” the Check Point analysis states.
“The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.”“
In fact, the ExpensiveWall malware is not completely new to security researchers. The McAfee experts first noticed the virus in the Play Store in January, however, they found that the payloads have significant differences.
The creators of ExpensiveWall managed to encrypt and compress the malicious code in order to by bypass Google’s automated checking processes.
When the victims install the application, it requests a permission to access the internet and send and receive SMS messages. After that, the ExpensiveWall malware sends back to the C&C server handset information, including its location, MAC and IP addresses, IMSI, and IMEI numbers. Meanwhile, the C&C server, sends the malware a URL which it opens in an embedded WebView window and downloads the JavaScript code used to send the premium SMS messages.
The Check Point experts say that the malicious code is spread to various apps as a software development kit named GTK.
“After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.” the analysis continues.
The security researchers informed Google about their discovery on August 7, and the company removed the malicious applications from Google Play Store immediately. However, even after the affected apps were removed, another sample was spotted in the Google Play Store within days. Most probably, this time the malicious app has infected more than 5,000 devices before it was removed.
According to the experts, Google has missed some warnings about the malware infection published by users who have downloaded the applications. One of the infected apps received a huge number of negative feedback by outraged users who spotted the malicious behavior.
The problem is that such incidents are becoming more and more frequent these days. In June, Google removed malicious applications infected with the Ztorg Trojans which allowed hackers to root targeted devices. While back in April, millions of users looking for software updates, downloaded an app featuring the SMSVova spyware straight through the official Google Play Store.
