Security News Yet Another Android Trojan Malware - downloaded over 4.2M times from Play Store

[Parsh]

Even after multiple efforts by Google, malicious apps managed to bypass its Play Store's anti-malware protections. Security firm Check Point on Thursday published a blog post revealing at least 50 free Android apps on Play Store that were downloaded between 1 & 4.2 Million times before Google removed them.
These apps come with hidden malware payload that secretly registers victims for paid online services, sends fraudulent premium text messages from victims' smartphones and leaves them to pay the bill— all without the knowledge or permission of users.

Dubbed ExpensiveWall, the malware comes hidden in free wallpaper, video or photo editing apps. It's a new variant of malware that Mcafee spotted earlier this year on the Play Store.
But what makes ExpensiveWall malware different from its other variants, is that it makes use of an advanced obfuscation technique called "packed" — which compresses malicious code and encrypts it to evade Google Play Store's built-in anti-malware protections.
The researchers notified Google of the malicious apps on August 7, and the software giant quickly removed all of them, but within few days, the malware re-emerged on the Play Store and infected over 5,000 devices before it was removed four days later, Check Point said.


How ExpensiveWall works?

Once an app with ExpensiveWall—which researchers think came from an SDK called GTK—is downloaded on a victim's device, it asks for user's permission to access the Internet, and send and receive SMS.
The internet access is used by the malware to connect the victim's device to the attacker's command and control (C&C) server, where it sends information including its location alongside unique hardware identifiers, such as MAC and IP addresses, IMSI and IMEI numbers.
The C&C server then sends the malware a URL, which it opens in an embedded WebView window to download JavaScript code that begins to clock up bills for the victim by sending fraudulent premium SMS messages without their knowledge, and uses the victim's phone number to register for paid services.


A Brief History of Play Store Malware

• Last month, over 500 Android apps with spyware capabilities were found on Play Store, which had been downloaded more than 100 million times.
• In July, Lipizzan spyware apps were spotted on Play Store that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.
• In June, more than 800 Xavier-laden apps were discovered on Google Play that had been downloaded millions of times, and the same month researchers found first code injecting rooting malware making rounds on Google Play Store.
• A month prior to it, researchers spotted 41 apps on Play Store hidden with the Judy Malware that infected 36.5 million Android devices with malicious ad-click software.
• In April, over 40 apps with hidden FalseGuide malware were spotted on Play Store that made 2 Million Android users victims.
• Earlier this year, researchers also discovered a new variant of the HummingBad malware, dubbed HummingWhale, hidden in more than 20 apps on Google Play Store, which were downloaded by over 12 Million users.

 

[Venustus]

Indeed the "Play Store" is a haven for spyware/adware etc!!
If I do install an app I carefully check "permissions" it needs on my tablet/phone,but even then you can't be sure!!

 

[mlnevese]

My S8 has a builtin antivirus and I use Google Play Protect as well... the only unkown source software I use are Adguard and Amazon Store so it's only turned off when either one of those need an update.

Software and OS updates are always installed as soon as they are made available as well.

 

[Captain Awesome]

1. Disabled installation from "Unknown sources"
2. Carefully reviewing different app permissions (Android 6.0+)
3. Google Play Protect / 3rd party Antivirus
4. Immediate installation of available OS updates
5. Security patch.

This is my security mechanisms for a safer Android.

 

[Parsh]

Indeed the "Play Store" is a haven for spyware/adware etc!!
If I do install an app I carefully check "permissions" it needs on my tablet/phone,but even then you can't be sure!!

I think that the latter statement is going to be the case for a long time for almost everyone. Still, it is better than blindly allowing apps to do their stuff with the many permissions they've been obtaining forever. Some apps clarifying the need for permissions on Play Store is a little good step we're seeing nowadays.

I have been using an app named "All In One Gestures" from Play store that has multiple accessibility features including one that helps to get rid of reaching out to hard-buttons (on phablets) without root. It uses Accessibility for that, Screen Overlay provision of Android.
I regularly explore many apps from the Store. Now, everytime permission popups for any app emerged (after Android M update) and I touched "Allow" or otherwise, Android won't register my selection. It would show this:

I read on multiple forums about this Screen Overlay-Permissions issue in newer Android versions and people were complaining about this "bug", and I began to partially accept it so... Later on on Google forums, it was clarified that this is a security provision In Android since Apps with Screen Overlay permissions can manipulate screen content in some ways. These can allow some app permissions without the user's intent for example.

My S8 has a builtin antivirus and I use Google Play Protect as well... the only unkown source software I use are Adguard and Amazon Store so it's only turned off when either one of those need an update.
Software and OS updates are always installed as soon as they are made available as well.

The McAfee right? May I ask how has your experience been with that one?
I used to have lots of non-Play Store apps that I slowly discarded for security reasons mainly. Now I only have Adguard (from MT) and a packages manager installed from outside. Network access for the Packages manager tool blocked.

 

[ispx]

wow am getting to learn so much about the droid world from here

thank you for starting this thread @Parsh & thank you for all of your inputs @Captain Awesome, @mlnevese & @venustus

 

[mlnevese]

I think that the latter statement is going to be the case for a long time for almost everyone. Still, it is better than blindly allowing apps to do their stuff with the many permissions they've been obtaining forever. Some apps clarifying the need for permissions on Play Store is a little good step we're seeing nowadays.

I have been using an app named "All In One Gestures" from Play store that has multiple accessibility features including one that helps to get rid of reaching out to hard-buttons (on phablets) without root. It uses Accessibility for that, Screen Overlay provision of Android.
I regularly explore many apps from the Store. Now, everytime permission popups for any app emerged (after Android M update) and I touched "Allow" or otherwise, Android won't register my selection. It would show this:
View attachment 167288
I read on multiple forums about this Screen Overlay-Permissions issue in newer Android versions and people were complaining about this "bug", and I began to partially accept it so... Later on on Google forums, it was clarified that this is a security provision In Android since Apps with Screen Overlay permissions can manipulate screen content in some ways. These can allow some app permissions without the user's intent for example.


The McAfee right? May I ask how has your experience been with that one?
I used to have lots of non-Play Store apps that I slowly discarded for security reasons mainly. Now I only have Adguard (from MT) and a packages manager installed from outside. Network access for the Packages manager tool blocked.

Basically I don't even notice it's there... I sometimes open the maintenance center just to check and there it is the last update and automatic scan dates

It also allows on demand scan of your device at any time. No noticeable drain on the battery.

 

[Itachi Sempai]

so what is the solution to the problem?

 

[Parsh]

so what is the solution to the problem?

There are tons of interesting apps on the Play Store with tens of thousands of downloads and it might be difficult to make out if some app is suspicious/malicious or not.
Honestly, there are rare chances of encountering malicious apps.. while rogue apps and adware might be easier encountered. Trust only known and famous apps for your phone. Stay away from non-Play Store apps.

I believe that you'll find majority of your answer from the many poll options of this thread. Besides those, you can follow a few more points for greater security & privacy:

• Restrict "Device Administrator" rights (when such popup appears) to only highly trusted apps
• Restrict "Screen Overlay" permissions to only highly trusted apps
  
• Limit the number of apps with "Usage Access" in Accessibility settings (google it if not familiar)
• Do not root your phone / OEM unlock unless you know what you're doing and how to mitigate weak points after rooting
• Keep "US Debugging" disabled unless required