Security researchers claim to have found one of the biggest outbreaks of Android malware ever to sneak its way from the Google Play Store onto people's phones.
At least fifty malicious applications listed on Google Play Store that sent false premium SMS and charged people for fake services, according to researchers at Check Point Software Technologies (CHKP, -0.51%), an Israeli cyber security giant that published a report and blog post about the attack on Thursday. The company said the infection spread to 21 million victims.
The researchers named the malware "ExpensiveWall" because it was found in the "Lovely Wallpaper" application, which guaranteed to offer a selection of background photos for mobile phones. Other infected applications included ones named "I Love Filter," "Tool Box Pro," and "Horoscope."
No less than 50 applications downloaded 4 million times by Android users, featured an advanced form of the malware that utilized "packing," a strategy that packs code with encryption, effectively masking it. The researchers said that measure permitted the malware to avoid Google's security filters and make it undetectable.
Packing is not a new technique, but it was a successful one for ExpensiveWall since lived inside the Google Play Store for some time before the discovery. For those who were victims of the attack, the malware would send premium SMS messages without the user's knowledge, charging on their accounts for services they never used.
The infections spread further and more extensive than any other malware on Google Play Store, except for a May campaign called "Judy," which infected 36 million devices, as Forbes notes. The security firm McAfee recognized an early variant of the ExpensiveWall malware in January. This time the producers had encrypted and compressed the malware, making it impossible for Google's automated checking processes to spot it.
Once downloaded, the malware asks for permission to access the internet to start sending and receiving best SMS tracker messages. At that point, it pings its command and control server with data on the infected handset, including its location and unique identifiers, for example, MAC and IP addresses, IMEI, and IMSI numbers.
The Check Point team alerted Google for the cyber criminal scheme on Aug. 7 and the search giant subsequently expelled the applications from its app store. The researchers claimed that even after the supposed eradication, another form of the malware snuck its way onto the Google Play Store, reaching 5,000 phones before Google removed it four days later.
"We've removed these apps from Play and always appreciate the research community's efforts to help keep the Android ecosystem safe," said a Google spokesperson, Aaron Stein.
Despite the scammers' achievement in tricking people to download the malicious applications, reviewers posted many warnings on Play Store's comments pages. "Virus detected," said one. "Spam app," wrote another. "Scam!!!" warned a third.
Based reviews like the above, Check Point researchers have claimed the applications were promoted through advertisements on few social networks, including Facebook and Instagram.
Padon said users should make sure none of the listed applications was installed on their mobile phone to protect themselves. If any show up, people should manually expel them.