Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.
The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” ExpensiveWall is a new variant of a malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times.
What makes ExpensiveWall different than its other family members is that it is ‘packed’ – an advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections.
Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store. However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.
It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices.
What does ExpensiveWall do?
The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services.
Why is ExpensiveWall dangerous?
While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.
How does ExpensiveWall work?
Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.
While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play.
Subscribing victims to paid services
The malware obtains the device’s phone number and uses it to subscribe the user to different paid services, such as the example below:
Sending premium SMS messages
ExpensiveWall on Google Play
The malicious activities did not go unnoticed by the users, as one notes below:
As seen in the image above, many users suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times.
After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.
Users and organizations should be aware that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is yet another example of the immediate need to protect all mobile devices against advanced threats.
How to stay protected
Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and
blocking zero-day malware by using both static and dynamic app analysis. Only by examining the
malware within context of its operation on a device can successful strategies to block it be created.
Users and enterprises should treat their mobile devices just like any other part of their network, and
protect them with the best cybersecurity solutions available.
Check Point customers are protected by SandBlast Mobile, and on the network front by Check Point
Anti-Bot Blade, which provides protection against this threat with the signature:
Appendix 1: List of Package names and downloads:
|Package Name||App Name||min||max||Uploaded to Google Play|
|com.star.trek||I Love Fliter||1,000,000||5,000,000||18/09/2016|
|com.newac.toolbox||Tool Box Pro||500,000||1,000,000||19/10/2015|
|com.gkt.xwallpaper||X Wallpaper Pro||500,000||1,000,000||02/06/2015|
|com.desktoptools.screenunsubscribe||DIY Your Screen||100,000||500,000||21/07/2016|
|com.gpthtwo.horoscope||ดวง 12 ราศี Lite||100,000||500,000||03/11/2015|
|com.pl.toolboxpro||Tool Box Pro||100,000||500,000||22/01/2016|
|com.yeahmobi.horoscope||ดวง 12 ราศี Lite||100,000||500,000||20/28/2014|
|com.pl.toolbox||Tool Box Pro||50,000||100,000||08/12/2015|
|com.gkt.fileexplorer||BI File Manager||10,000||50,000||01/08/2016|
|com.kevin.beautyvideo||Beautiful Video-Edit your Memory||10,000||50,000||22/09/2016|
|com.kkcamera.akbcartoon||Cartoon Camera-stylish, clean||5,000||10,000||08/03/2017|