Malicious apps with >1 million downloads slip past Google defenses twice


Distend / One of the fee-based services ExpensiveWallpaper apps subscribed users to.

Researchers recently bring about at least 50 apps in the official Google Play market that created charges for fee-based services without the knowledge or permission of users. The apps were downloaded as numberless as 4.2 million times. Google quickly removed the apps after the researchers reported them, but within lifetimes, apps from the same malicious family were back and infected diverse than 5,000 devices.

The apps, all from a family of malware that safe keeping firm Check Point calls ExpensiveWall, surreptitiously uploaded phone tallies, locations, and unique hardware identifiers to attacker-controlled servers. The apps then worn the phone numbers to sign up unwitting users to premium services and to send criminal premium text messages, a move that caused users to be noted. Check Point researchers didn’t know how much revenue was engendered by the apps. Google Play showed the apps had from 1 million to 4.2 million downloads.

Cliquing heat

ExpensiveWall—named after one of the individual apps called LovelyWall—utilized a common obfuscation technique known as packing. By compressing or encrypting the executable alphabetize before it’s uploaded to Play, attackers can hide its maliciousness from Google’s malware scanners. A key allow for in the package then reassembled the executable once the file was safely on the objective device. Although packing is more than a decade old, Google’s collapse to catch the apps, even after the first batch was removed, underscores how operational the technique remains.

«While ExpensiveWall is currently designed only to mould profit from its victims, a similar malware could be easily amended to use the same infrastructure in order to capture pictures, record audio, and neck steal sensitive data and send the data to a command and control (C&C) server,» Restrain Point researchers wrote in a report scheduled to be published Thursday. «Since the malware is masterful disposed to of operating silently, all of this illicit activity takes place without the martyr’s knowledge, turning it into the ultimate spying tool.»

Even after Google deleted the apps from Play, many phones will remain infected until owners explicitly uninstall the malicious titles, Check Point researchers told Ars. Google has covet said that a security feature known as Play Protect, once upon a time called Verify Apps, will automatically remove malicious apps from impressed phones. Many phones, however, are never disinfected, either because operators have turned off the default feature or are using an old version of Android that doesn’t endure it, Check Point researchers told Ars. A full list of the affected apps is classified in the Check Point report linked above. Google representatives didn’t unhesitatingly have a comment for this post.

The researchers said they have faith ExpensiveWall is spread by a software developer kit called gtk that developers embed into their own apps. It’s not clean if individual developers knew of the malicious behavior their apps carted out. Google’s continued inability to block malicious apps from Entertainment is one of the biggest security liabilities hanging over the Android operating technique. Android users should limit the apps they install on their coat of arms. They should also carefully read user comments and survey requested permissions before installing an app. They should also certify Play Protect is turned on by opening the Google Play app, choosing choices, selecting the Play Protect tab, and making sure the protection is on. Those limitations are by no means adequate for ensuring an installed app is trustworthy, but at the moment, that’s the upper-class assurance available.

Leave a Reply

Your email address will not be published. Required fields are marked *