Android Apps Infected with ExpensiveWall Malware Downloaded 21M Times

Time and again we have witnessed the reality to be reinforced that it is extremely difficult to maintain the optimal security of our devices. Google, has infused great efforts in ensuring the security of software, Android apps, and devices, however, it turns out that it is next to impossible.

Lately, we have seen Google Play Store becoming the victim of Trojan malware quite a few times, and as per latest reports, a new version of an old malware called ExpensiveWall has been found in many everyday use apps available on Play Store. What’s more disturbing is the fact that the malicious apps have been downloaded 4.2 million times. The new variant and its older version both are believed to have been downloaded between 5.9 and 21.1 million times.

More: Xafecopy Malware Secretly Steals Money From Android Devices

This particular malware campaign against Android devices is being touted as the biggest ever malware outbreak in recent times that makes fraudulent subscriptions on user behalf without their knowledge or consent. The malware is dubbed ExpensiveWall because it was initially spotted in a number of wallpaper apps by Check Point cybersecurity firm and it was named after a free wallpaper app called LovelyWall.

According to Check Point’s research team, the malware sends fake premium SMS messages to charge users’ account for services that they haven’t subscribed to. Check Point also shared the list of applications harboring the malware. The older version of ExpensiveWall was discovered in January 2017 by McAfee.

ExpensiveWall Malware Identified in 50 Apps on Google
One of the premium service discovered by researchers that malware subscribes the user to.

ExpensiveWall was hidden in numerous apps majority of which were seemingly harmless photo or video editing, camera and free wallpaper applications available on Google Play Store. At least 50 applications contained this piece of malware before it was deleted from the Play Store. Check Point researchers claim that the malware is distributed through a software developer kit known as gtk that is embedded into their apps.

ExpensiveWall Malware Identified in 50 Apps on Google
One of the infected apps

The trojanized app compelled people to subscribe through SMS and the app was remotely installed, but its actual function was to steal and leak sensitive personal data such as phone number, IP address, GPS location and installed applications on the infected device. This particular app was downloaded millions of times, and hence data from such an astounding number of devices was leaked due to this app.

Security experts observed a stark similarity between these malware, which is that the number of infected devices is not in hundreds or thousands but millions in both instances. ExpensiveWall was downloaded millions of times despite the fact that it had low star reviews on Play Store while some got to know about it through ads on Instagram.

More: BlueBorne Bluetooth Flaw Affects Millions of Android Smartphones, IoT, and PCs

According to security experts Andrey Polkovnichenko, Bohdan Melnykov and Elena Root, ExpensiveWall is different from other malware in this family because it is ‘packed,’ which refers to an advanced “obfuscation technique” that malware developers use for encrypting malicious code so that the malware can evade the default anti-malware protections of Google Play Store.

These apps were downloaded millions of time without leaving any suspicion

In Packing technique, attackers hid the malicious code from Google by compressing and encrypting the executable file before its uploading on Play Store. The package also includes a key that reassembles the executable after the file has made it to the targeted device. Despite being decade-old technique, it remains an effective method for hackers.

After Check Point security firm informed Google about the presence of malware in around 50 of Play Store apps, the tech giant removed them but it was too late as more than 5,000 devices were infected within days. It is yet unknown how much revenue was generated through the malware. Although the apps are now removed, many devices will remain infected until the malicious titles are uninstalled explicitly.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'