Millions of Android Handsets Infected by the ExpensiveWall Malware


Google's efforts to keep its mobile app store free of malware-laden applications appears to be very much a work in progress considering the recent success cyber-criminals have had uploading rogue software to it. While back in April, millions of users looking for software updates, downloaded an app featuring the SMSVova spyware straight through the official Google Play Store, which has been downloaded between 1,000,000 and 5,000,000 times. Based on other reviews, the researchers from Check Point believe that the apps were also promoted on social media networks through ads.

Google removed the malware infected apps; however ExpensiveWall continued to cause trouble for the tech giants App Store by spreading the sample across another 5,000 devices at least.

This new variant of Android malware is called "ExpensiveWall" and it sends fraudulent premium SMS messages and charges users' accounts for fake services without their knowledge.

Besides registering to premium services without users' assent, it has the potential to use this "Packed" technique to easily capture pictures, record audio and even steal sensitive data and send it to a command and control (C&C) server, effectively turning the victim's mobile in to ultimate spying tool. Before being removed it was already downloaded up to 10,000 times.

21 million users fall victim to second Google Android malware attack

Unlike previous versions of the malware, ExpensiveWall uses an advanced obfuscation technique to evade the anti-malware protections that Google has built into Play, the researchers said. "Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play". Over 50 apps were able to skip Google Play Store protections and managed to successfully amass over 21.1 million infections - that's the second biggest malware outbreak according to security researchers. If a user downloads the malware, it requests permissions commonly associated with other applications such as permission for Internet access and SMS permissions. Over 4.2 million users downloaded these 50 infected apps.

Unlike the previously discovered version, this strain of malware uses so-called "packing", an advanced obfuscation technique created to bypass Google's built-in security filters.

Check Point also notes that even if these apps have been removed from Google Play, they will continue to infect the smartphone until and unless they are manually uninstalled from the device.