Premium SMS malware EXPENSIVEWALL infected millions of Android handsets

Pierluigi Paganini September 15, 2017

Google removed 50 malicious apps from the official Play Store after experts discovered a new malware, dubbed ExpensiveWall, eluded Google Bouncer checks.

Google has removed 50 malicious apps from the official Play Store after experts with security firm Check Point discovered a new malware, dubbed ExpensiveWall,  eluded the checks of the Google’s Bouncer.

The ExpensiveWall malware was found in the Lovely Wallpaper app,  it includes a payload that registers victims for paid online services and sends premium SMS messages from their devices. The malicious code was discovered in 50 apps on the Play Store that were downloaded by between 1 million and 4.2 million users.

“Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge.” states the analysis shared by Check Point researchers.

“The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” “

expensivewall malware

The malware is not totally new to security experts, malware researchers with McAfee first spotted it in the Play Store in January, but they highlighted that the payloads have significant differences.

The ExpensiveWall authors encrypted and compressed the malicious code in order to by bypass Google’s automated checking processes, and they succeeded!

Once the application is installed by the victims, it requests the permission to access the internet and send and receive SMS messages. Then ExpensiveWall sends back to the C&C server handset information, including its location, MAC and IP addresses, IMSI, and IMEI numbers.

The C&C server, in turn, sends the malware a URL that it opens in an embedded WebView window and downloads the JavaScript code used to send the premium SMS messages.

According to Check Point researchers, the malicious code is spread to different applications as a software development kit called GTK.

“After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.” continues the analysis.

Check Point reported the discovery to Google on August 7, 2017, and the company promptly removed the malicious apps from Google Play Store. Unfortunately even after the affected Apps were removed from the store, within days another sample was spotted in the Google Play, this time it has likely infected more than 5,000 devices before it was removed four days later.”

Experts said Google missed warnings about the malware infection that were published by the users that downloaded the apps in the comments section. One of the infected apps received a huge number of negative feedback by outraged users that noticed the malicious behavior.

Unfortunately such kind of incidents is becoming frequent, in June two times in a month Google removed malicious apps infected with the Ztorg Trojans that allowed attackers to root targeted devices.

In April, Millions of users looking to get software updates downloaded an app hiding a spyware called SMSVova through the official Google Play store.

It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.

Clearly, Google must improve its checks to avoid further incidents.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –ExpensiveWall malware, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment