A dangerous ‘packed’ malware spotted on Google Play that will hit your wallet

Even after so many efforts by Google, malicious apps somehow managed to fool its Play Store’s anti-malware protections and infect people with malicious software.

The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks.

Security firm Check Point on Thursday published a blog post revealing at least 50 Android apps that were free to download on official Play Store and were downloaded between 1 million and 4.2 million times before Google removed them.

What does ExpensiveWall do ?

These Android apps come with hidden malware payload that secretly registers victims for paid online services, sends fraudulent premium text messages from victims’ smartphones and leaves them to pay the bill—all without the knowledge or permission of users.

Dubbed ExpensiveWall by Check Point researchers because it was found in the Lovely Wallpaper app, the malware comes hidden in free wallpaper, video or photo editing apps. It’s a new variant of malware that Mcafee spotted earlier this year on the Play Store.

But what makes ExpensiveWall malware different from its other variants is that it makes use of an advanced obfuscation technique called “packed,” which compresses malicious code and encrypts it to evade Google Play Store’s built-in anti-malware protections.

The researchers notified Google of the malicious apps on August 7, and the software giant quickly removed all of them, but within few days, the malware re-emerged on the Play Store and infected over 5,000 devices before it was removed four days later, Check Point said.

Why is ExpensiveWall dangerous?

While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.

How does ExpensiveWall work?

Once an app with ExpensiveWall—which researchers think came from a software development kit called GTK—is downloaded on a victim’s device, the malicious app asks for user’s permission to access the Internet, and send and receive SMS messages.

The internet access is used by the malware to connect the victim’s device to the attacker’s command and control server, where it sends information on the infected handset, including its location alongside unique hardware identifiers, such as MAC and IP addresses, IMSI and IMEI numbers.

The C&C server then sends the malware a URL, which it opens in an embedded WebView window to download JavaScript code that begins to clock up bills for the victim by sending fraudulent premium SMS messages without their knowledge, and uses the victim’s phone number to register for paid services.

However, according to the Check Point researchers, it is still unclear how much revenue was generated via ExpensiveWall’s premium SMS scam.

ExpensiveWall on Google Play

As seen in the image above, many users suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times.

How to stay protected

Even after Google removed all the malware-tainted apps from its official Play Store marketplace, your smartphones will remain infected with the ExpensiveWall malware until you explicitly uninstall the malicious apps, if you have downloaded any.

Google has recently provided a security feature known as Play Protect that uses machine learning and app usage analysis to automatically remove malicious apps from the affected smartphones to prevent further harm.

However, according to the Check Point researchers, many phones run an older version of Android that does not support the feature, leaving a wide audience open to malware attacks.

Here is the List of Package names and downloads:

Package Name App Name min max Uploaded to Google Play
com.star.trek I Love Fliter 1,000,000 5,000,000 18/09/2016
com.newac.toolbox Tool Box Pro 500,000 1,000,000 19/10/2015
com.newac.wallpaper X WALLPAPER 500,000 1,000,000 27/09/2015
com.yeahmobi.horoscopeinter Horoscope 500,000 1,000,000 16/03/2015
com.gkt.xwallpaper X Wallpaper Pro 500,000 1,000,000 02/06/2015
com.gwqcv.zsfy Beautiful Camera 100,000 500,000 11/05/2017
com.hdsj.hdey Color Camera 100,000 500,000 16/03/2017
com.lovephoto.gp.inter Love Photo 100,000 500,000 13/03/2017
com.parrot.tidecmr Tide Camera 100,000 500,000 22/03/2017
com.zerg.charmingcmr Charming Camera 100,000 500,000 22/03/2017
com.constellation.prophecy Horoscope 100,000 500,000 30/06/2016
com.desktoptools.screenunsubscribe DIY Your Screen 100,000 500,000 21/07/2016
com.gkt.ringtonegp Ringtone 100,000 500,000 02/06/2015
com.gpthtwo.horoscope ดวง 12 ราศี Lite 100,000 500,000 03/11/2015
com.guard.defend Safe locker 100,000 500,000 17/06/2016
com.newac.wifibooster Wifi Booster 100,000 500,000 04/11/2015
com.newera.desktop Cool Desktop 100,000 500,000 30/06/2016
com.newera.toolbox useful cube 100,000 500,000 12/06/2016
com.pl.toolboxpro Tool Box Pro 100,000 500,000 22/01/2016
com.something.someone Useful Desktop 100,000 500,000 17/09/2016
com.yeahmobi.horoscope ดวง 12 ราศี Lite 100,000 500,000 20/28/2014
com.yeahmobi.horoscopegpadap Horoscope2.0 100,000 500,000 23/03/2015
com.cegqz.uoud Yes Star 50,000 100,000 03/05/2017
com.cmr.shiny Shiny Camera 50,000 100,000 03/05/2017
com.johg.udrad Simple Camera 50,000 100,000 07/07/2017
com.scamera.smiling Smiling Camera 50,000 100,000 07/06/2017
com.cmr.universal Universal Camera 50,000 100,000 16/05/2017
com.gb.toolbox Amazing Toolbox 50,000 100,000 23/03/2016
com.genesis.awesome Easy capture 50,000 100,000 24/10/2016
com.newera.memorydoctor Memory Doctor 50,000 100,000 15/06/2016
com.pl.toolbox Tool Box Pro 50,000 100,000 08/12/2015
com.sexy.pic Reborn Beauty 50,000 100,000 28/07/2016
com.joy.photo.gp.inter Joy Photo 50,000 100,000 02/08/2016
com.fancy.camera.gp.inter Fancy Camera 50,000 100,000 09/08/2016
com.amazing.photo.gp.inter Amazing Photo 50,000 100,000 13/09/2016
com.amazing.camera.ggi Amazing Camera 50,000 100,000 05/01/2017
com.super.wallpaper.gp.inter Super Wallpaper 50,000 100,000 30/08/2016
com.aolw.maoa DD Player 10,000 50,000 13/03/2017
com.bbapcmr.fascinating Fascinating Camera 10,000 50,000 13/04/2017
com.coral.muse Universal Camera 10,000 50,000 13/07/2017
com.cream.lecoa Cream Camera 10,000 50,000 27/03/2017
com.dmeq.oopes Looking Camera 10,000 50,000 23/05/2017
com.dosl.wthre DD Weather 10,000 50,000 23/05/2017
com.fqaf.dlksk Global Weather 10,000 50,000 03/05/2017
com.ivxz.ykvlf Love Fitness 10,000 50,000 23/05/2017
com.jpst.lsyk Pretty Pictures 10,000 50,000 06/04/2017
com.kifb.mifv Cool Wallpapers 10,000 50,000 10/01/2017
com.magic.beautycmr Beauty Camera 10,000 50,000 04/04/2017
com.opaly.nqib Love locker 10,000 50,000 12/05/2017
com.real.stargh Real Star 10,000 50,000 27/02/2017
com.sadcmr.magic Magic Camera 10,000 50,000 14/06/2017
com.scamera.wonder Wonder Camera 10,000 50,000 14/06/2017
com.scmr.funny Funny Camera 10,000 50,000 02/06/2017
com.simon.easy Easy Camera 10,000 50,000 28/02/2017
com.smgft.keyboard Smart Keyboard 10,000 50,000 14/06/2017
com.xnoc.jdvy Travel Camera 10,000 50,000 02/05/2017
com.yiuw.fhly Photo Warp 10,000 50,000 20/01/2017
com.yjmn.vokle Lovely Wallpaper 10,000 50,000 07/07/2017
com.ysyg.wtmca Lattice Camera 10,000 50,000 09/06/2017
fast.bats.chaz Quick Charger 10,000 50,000 08/05/2017
com.upcamera.xgcby Up Camera 10,000 50,000 18/01/2017
com.photo.power.gp Photo Power 10,000 50,000 23/11/2016
com.asdf.fg.hdwallpaper HDwallpaper 10,000 50,000 13/12/2016
com.gb.wonderfulgames Wonderful Games 10,000 50,000 09/04/2016
com.gkt.fileexplorer BI File Manager 10,000 50,000 01/08/2016
com.gkt.wallpapershd Wallpapers HD 10,000 50,000 03/01/2016
com.kevin.beautyvideo Beautiful Video-Edit your Memory 10,000 50,000 22/09/2016
com.newera.beautifulphoto Wonderful Cam 10,000 50,000 12/06/2016
com.next.toolset useful cube 10,000 50,000 30/06/2016
com.ringtone.freshac Ringtone 10,000 50,000 26/11/2015
com.gkt.gamebar Exciting Games 10,000 50,000 15/09/2015
com.replica.adventure.gp Replica Adventure 10,000 50,000 07/07/2016
com.gg.player.gp GG Player 10,000 50,000 12/07/2016
com.love.camera.gp Love Camera 10,000 50,000 20/10/2016
com.oneshot.beautify.gp Oneshot Beautify 10,000 50,000 01/08/2016
com.pretty.camera.gp Pretty Camera 10,000 50,000 18/10/2016
com.hygk.hlhy CuteCamera 5,000 10,000 22/02/2017
com.kkcamera.akbcartoon Cartoon Camera-stylish, clean 5,000 10,000 08/03/2017
com.craft.decorate Art Camera 5,000 7,000 13/08/2017
com.amazing.video.gp Amazing Video 5,000 10,000 16/11/2016
com.fine.photo.gp Fine Photo 5,000 10,000 22/12/2016
com.applocker.coldwar Infinity safe 5,000 10,000 09/09/2016
com.final.horosope Magical Horoscope 5,000 10,000 21/02/2017
com.gp.toolboxche Toolbox 5,000 10,000 28/04/2016
com.prettygirl.newyear Cute Belle 5,000 10,000 12/01/2017
com.roy.cartoonwallpaper CartoonWallpaper 5,000 10,000 06/09/2016
com.thebell.newcentury Ringtone 5,000 10,000 01/08/2016
com.aypx.ygzp Best Camera 1,000 5,000 16/02/2017
com.colorful.locker Colorful Locker 1,000 5,000 09/05/2017
com.hlux.wfsha Light Keyboard 1,000 5,000 21/07/2017
com.ytkue.oprw Safe Privacy 1,000 5,000 07/06/2017
com.qwer.enjoy.enjoywallpaper Enjoy Wallpaper 1,000 5,000 03/11/2016
com.file.manager.gp File Manager 1,000 5,000 13/12/2016
com.highfirst.fancylocker Fancy locker 1,000 5,000 05/01/2017
com.cute.puzzle.gp Cute Puzzle 1,000 5,000 05/10/2016
com.keyboard.smile Smile Keyboard 500 707 16/05/2017
com.owexs.iouert Vitality Camera 100 500 04/07/2017
com.tools.yidian Lock Now 100 500 23/01/2017
com.camera.kfcfancy Fancy Camera 100 500 20/03/2017
com.hhcamera.useful Useful Camera 100 224 06/03/2017
com.owexs.iouert Vitality Camera 100 224 04/07/2017
com.sec.transfer Sec Transfer 100 136 14/03/2017
com.tools.yidian Lock Now 100 500 23/01/2017
com.bpmiddle.oneversion Magic Filter 100 224 21/09/2016
com.funny.video.gp Funny Video 100 500 07/10/2016
com.ads.wowgames Amazing Gamebox 100 224 22/05/2016
com.wtns.superlocker Super locker 10 50 25/04/2017
com.musicg.ckiqp Music Player 1 2 06/04/2017
Total   5,904,511 21,101,567

 

You are strongly advised to always keep a good antivirus app on your device that can detect and block any malicious app before it can infect your device, and always keep your device and all apps up-to-date.

Credit: Checkpoint

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *