Cybersecurity researchers at Trend Micro and McAfee have separately published reports to alert users about a new set of fake and malware-infected Android applications on the Google Play Store. These malicious apps can carry out billing fraud by hijacking SMS message notifications.
According to researchers, users in the Arabian Peninsula and Southwest Asia are the prime targets in this campaign and these apps had garnered nearly 750,000 downloads before being removed from the Play Store.
Versatile Array of Fraudulent Apps Found
McAfee researchers stated that a wide range of apps such as photo editors, puzzles, wallpapers, keyboard skins, and similar other camera-related applications was plagued with malware.
“These fraudulent apps hijack SMS message notifications and then make unauthorized purchases. While apps go through a review process to ensure that they are legitimate, these fraudulent apps made their way into the store by submitting a clean version of the app for review and then introducing the malicious code via updates to the app later” McAfee Mobile Research team noted in their blog post.
Fake Apps Embedded with Joker Malware
Research revealed that the fake applications were infected with Joker aka Bread malware that repeatedly bypassed Google Play defenses for the past four years. That’s why Google had to remove over 1,700 apps from the Play Store earlier in 2020.
McAfee suspects another threat under the moniker Etinu, which conducts billing fraud and has spyware capabilities. It can steal SMS messages, device data, and contact lists.
Versioning Technique used to Lure Users
Researchers claim that malware operators have used versioning techniques to upload a cleaner version of the app on the Play Store to gain user trust. Later, they sneakily add malicious code through app updates. This code serves as the first-stage payload masquerading .png files. It also connects with a C&C server to retrieve a secret key to decrypt the file to a loader.
The temporary payload then loads another payload, which is decrypted to install the malware. McAfee researchers stated that malware operators are looking to steal users’ private information such as phone number, carrier name, SMS messages, country, network status, IP address, and auto-renew subscriptions.
Which Apps Were Removed?
According to Trend Micro’s blog post, in total, nine apps were identified to be fraudulent and were removed from Play Store. These include:
- com.daynight.keyboard.wallpaper (Keyboard Wallpaper)
- com.pip.editor.camera2021 (PIP Photo Maker 2021)
- com.light.super.flashlight (Flashlight)
- com.super.color.hairdryer (Sound Prank Hair Clipper, Fart, Crack Screen Prank)
- com.super.star.ringtones (Pop Ringtones)
- cool.girly.wallpaper (SubscribeSDK; found in VirusTotal)