Malicious apps spread via Google Store packaged with premium SMS scam

PandaLabs has found at least four free apps in the official Google Play store that are packaged with a premium SMS scam. Already 300000 mobile infected.

PandaLabs security firm has identified malicious Android apps available on Google Play that can sign up users for premium SMS subscription services without user knowledge. The malware has infected at least 300,000 Android devices, although the number of downloads could have reached 1,200,000.

The security firm identified at least four free apps in the official Google Play store that are packaged with a premium SMS scam, their names are “Abs Diets”, “Cupcake Recipes”, “Easy Hairdos” and “Workout Routines”.

When the “Abs Diet” app has been installed on the user’s device and once victim has accepted the terms and conditions of the service, the application displays a series of suggestions to improve physical fitness and then the app silently search for the phone number of the mobile device, connects to a Web page and signs the victim up to a premium SMS subscription service.

Very smart is the way the app retrieves the phone number, it steals the number from WhatsApp.

“Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.” states the PandaLabs blog post.

The experts at Panda Labs estimated that the average each victim gets charged by these apps is $20 and considering that overall number of downloads is between 300,000 and 1,200,000, this means that the cyber criminals could have made between $6 million and $24 million.

It’s not the first time that a malware is served via Google Play store, in the past popular banking trojan like Carberp has been spread through the official channel.

Be careful to what you install on your mobile and evaluate the permissions apps need to be installed, they could allow malicious code to cause serious problems.

Pierluigi Paganini

(Security Affairs – Android, SMS)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.