ExpensiveWall: Banking Trojan targets Android users with fake SMS messages

ExpensiveWall malware Google Play store Android malware

Google pulled the offending apps as soon as it was notified by Check Point, although another sample appeared soon after and managed to infect a further 5,000 devices before it was removed four days later.

Hidden inside wallpaper apps, the malware has been named "ExpensiveWall", after finding its way to Google Android devices through Google users downloading malicious apps through the Google Play store.

The security researchers said the malicious software could have infected as many as 21.1million devices after being downloaded up to 4.2million times. If you follow Android security, this might all sound a bit familiar, and that's because it's basically identical to another piece of malware discovered earlier this year.

"Once ExpensiveWall is downloaded, it requests several common permissions, including internet access - which allows the app to connect to its C&C server - and SMS permissions - which enable it to send premium SMS messages and register users for other paid services all without the user's knowledge", explained Check Point.

It's unclear how much revenue attackers managed to generate from this particular family.

It can steal sensitive data and collect information such as the location of a victim using the malware-hit device and its IP address.

"Since the malware is capable of operating silently, all of this illicit activity takes place without the victim's knowledge, turning it into the ultimate spying tool."
This is not a new technique but one that has proved successful in the past.

Check Point believes that the Android app developers unwittingly distributed ExpensiveWall through their apps by using a developer kit called gtk that developers embed into their own apps. It won't surprise many of you that Google's Assistant app strategy is a little fragmented. One of the infected apps received a huge number of negative feedback by outraged users who spotted the malicious behavior. Not only did it force people to sign up with subscriptions via SMS, but it was also able to remotely install applications as well as leaking user information including the phone number, Global Positioning System location, installed apps, and IP address. Google's recently announced Play Protect should also be able to remove malicious apps from infected devices, but that might not happen on older versions of Android or on those where users have disabled Play Protect protection. You can also navigate to it via the hamburger menu in the Home App and then the Explore tab.

Related:

Comments


Other news