Researchers have recently found at least 50 apps on the official Google Playmarket that charge for fee-based services without user's knowledge or permission.
The application is downloaded as much as 4.2 million times. Google quickly removed the app after researchers reported it, but within days, apps from the same evil family have returned and infected more than 5,000 devices.
Arstechnica (15/9/2017) reports the application, all from a malware family that ensures Check Point's security firm calls Expensive Walls, secretly uploads unique phone numbers, locations, and hardware identifiers to servers controlled by attackers.
The app then uses a phone number to not exclude users of premium services and send fake premium text messages, a move that causes users to be billed.
Check Point researchers do not know how much revenue is generated by the app. Google Play shows its apps from 1 million to 4.2 million downloads. Lifting the Expensive Wall-named after one of the individual apps called Lovely Wall-uses a common technique known as packing.
By encrypting an executable file before it is uploaded to Play, an attacker can hide its destruction from Google's malware scanner.
The keys included in the package are then reinstalled after they are safely stored on the targeted device.
Although the packaging is more than a decade, Google's failure to capture applications, even after the first batch is removed, underscores how effectively this technique persists. "While the Expensive Wall is currently designed only to generate profits from its victims, similar malware can occur.
Easily modified to use the same infrastructure for capturing images, recording audio, and even stealing sensitive data and sending a command and control (C & C) datato server, "Check Point researchers wrote in a report scheduled for publication on Thursday. Because the malware works quietly, all of this illicit activity takes place without the victim's knowledge, turning it into a major spy tool.
Even Google removes apps from Play, many phones will remain infected until users explicitly uninstall them. the title is dangerous, the Check Point researcher told Ars.
Google has long said that a security feature known as Play Protect, previously called Verify Apps, will automatically remove malicious apps from affected phones.
Many phones, however, have never been disinfected, because users have turned off the default feature or are using an older version of Android that does not support it, the Check Point researcher told Ars.
The full list of affected apps is included in the Check Point report linked above. Google representatives did not immediately have comments for this post.
The researchers say they believe that the Expensive Wall is propagated by a software developer kit called gtk that the developer instilled into their own applications. It is unclear whether individual developers know the malicious behavior their app performs. Google's inability to block malicious apps from Play is one of the biggest security obligations that depend on the Android operating system. Android users must restrict the apps they install on their devices. They should also carefully read user comments and check the permissions requested before installing the app. They should also make sure Play Protect is enabled by opening the Google Play app, selecting options, selecting the Play Protect tab, and ensuring protection is enabled.
These steps are totally inadequate to ensure the installed app is trustworthy, but at present, is the best guarantee available.