Security researchers from Check Pointfoundnew malicious software called ExpensiveWall, which sends SMS messages and withdraws money from a user account without his knowledge to pay for access to premium services on fraudulent sites. According to the researchers, the malware was contained in the application Lovely Wallpaper and a number of others, which were downloaded about 4.2 million times. In total, Google has removed about 50 infected applications from the Google Play Store.
ExpensiveWall is a new version of malware that was first discovered on Google Play earlier this year. During this time, various versions of malware were downloaded about 5.9 million - 21.1 million times. The main difference between ExpensiveWall and the other versions is the use of advanced techniques for obfuscating malicious code that allows you to bypass the protection of Google Play. When using this technique, the malicious code is compressed and encrypted to evade detection.
In early August, Google removed infected applications, but later on Google Play appeared a new infected application, which was downloaded another 5 thousand times. According to researchers, the amount of income received by intruders within the fraudulent scheme is unknown.
After installation, the infected application requests several permissions, including access to the Internet (for communication with the C & C server) and permission to send SMS messages (to register users on fraudulent sites). ExpensiveWall contains an interface that synchronizes actions in an application with JavaScript code that works in the WebView Web interface. After installing and obtaining the necessary permissions, ExpensiveWall sends data about the infected device to the C & C server, including information about its location and unique identifiers, such as MAC and IP addresses, IMSI and IMEI.
When a user connects to the Android device or changes the connection settings, malware connects to the server and receives a link that opens in the embedded WebView. This page contains malicious JavaScript code that launches functions inside the application using the Javascript Interface, the researchers explained. Malicious software uses the user's phone number to subscribe to various paid services.
Currently ExpensiveWall is used exclusively for profit, but it can be modified to capture screenshots, record audio, steal confidential data, etc. Because malware acts imperceptibly, it can be used as a tool for espionage, researchers warn.
