Active Members Fi8sVrs Posted September 15, 2017 Active Members Report Posted September 15, 2017 Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed. The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” ExpensiveWall is a new variant of a malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times. What makes ExpensiveWall different than its other family members is that it is ‘packed’ – an advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections. Learn how SandBlast Mobile protects against malware like ExpensiveWall. Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store. However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later. Figure 1: One of the malicious apps containing ExpensiveWall. It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices. What does ExpensiveWall do? The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services. Why is ExpensiveWall dangerous? While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool. How does ExpensiveWall work? Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the users knowledge. While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play. ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI. Figure 2: Clicking functionality used by the ExpensiveWall malware. Each time the device is switched on, or experiences a connectivity change, the app connects to its C&C server and receives a URL, which it opens in an embedded WebView. This page contains a malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages. The malware initiates the JavaScript code by silently clicking on the links in the webpage, in the same way it clicks on ads in other occasions. Subscribing victims to paid services The malware obtains the device’s phone number and uses it to subscribe the user to different paid services, such as the example below: Figure 3: Code used to obtain phone number. Figure 4: A premium service the malware subscribes the user to. Sending premium SMS messages In some cases, the SMS activity takes place without giving the user any notice. In other cases, the malware presents the user with a button called “Continue,” and once the user clicks the button, the malware sends a premium SMS on his behalf. Below is an example of the HTML code containing the embedded JavaScript: Figure 5: embedded JavaScript responsible for sending SMS messages. ExpensiveWall on Google Play The malicious activities did not go unnoticed by the users, as one notes below: Figure 6: User’s comments on an ExpensiveWall app. As seen in the image above, many users suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times. See Check Point Research for the complete technical report. After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it. Users and organizations should be aware that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is yet another example of the immediate need to protect all mobile devices against advanced threats. How to stay protected Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis. Only by examining the malware within context of its operation on a device can successful strategies to block it be created. Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available. Check Point customers are protected by SandBlast Mobile, and on the network front by Check Point Anti-Bot Blade, which provides protection against this threat with the signature: Trojan.AndroidOS.ExpensiveWall. Appendix 1: List of Package names and downloads: Package Name App Name min max Uploaded to Google Play com.star.trek I Love Fliter 1,000,000 5,000,000 18/09/2016 com.newac.toolbox Tool Box Pro 500,000 1,000,000 19/10/2015 com.newac.wallpaper X WALLPAPER 500,000 1,000,000 27/09/2015 com.yeahmobi.horoscopeinter Horoscope 500,000 1,000,000 16/03/2015 com.gkt.xwallpaper X Wallpaper Pro 500,000 1,000,000 02/06/2015 com.gwqcv.zsfy Beautiful Camera 100,000 500,000 11/05/2017 com.hdsj.hdey Color Camera 100,000 500,000 16/03/2017 com.lovephoto.gp.inter Love Photo 100,000 500,000 13/03/2017 com.parrot.tidecmr Tide Camera 100,000 500,000 22/03/2017 com.zerg.charmingcmr Charming Camera 100,000 500,000 22/03/2017 com.constellation.prophecy Horoscope 100,000 500,000 30/06/2016 com.desktoptools.screenunsubscribe DIY Your Screen 100,000 500,000 21/07/2016 com.gkt.ringtonegp Ringtone 100,000 500,000 02/06/2015 com.gpthtwo.horoscope ดวง 12 ราศี Lite 100,000 500,000 03/11/2015 com.guard.defend Safe locker 100,000 500,000 17/06/2016 com.newac.wifibooster Wifi Booster 100,000 500,000 04/11/2015 com.newera.desktop Cool Desktop 100,000 500,000 30/06/2016 com.newera.toolbox useful cube 100,000 500,000 12/06/2016 com.pl.toolboxpro Tool Box Pro 100,000 500,000 22/01/2016 com.something.someone Useful Desktop 100,000 500,000 17/09/2016 com.yeahmobi.horoscope ดวง 12 ราศี Lite 100,000 500,000 20/28/2014 com.yeahmobi.horoscopegpadap Horoscope2.0 100,000 500,000 23/03/2015 com.cegqz.uoud Yes Star 50,000 100,000 03/05/2017 com.cmr.shiny Shiny Camera 50,000 100,000 03/05/2017 com.johg.udrad Simple Camera 50,000 100,000 07/07/2017 com.scamera.smiling Smiling Camera 50,000 100,000 07/06/2017 com.cmr.universal Universal Camera 50,000 100,000 16/05/2017 com.gb.toolbox Amazing Toolbox 50,000 100,000 23/03/2016 com.genesis.awesome Easy capture 50,000 100,000 24/10/2016 com.newera.memorydoctor Memory Doctor 50,000 100,000 15/06/2016 com.pl.toolbox Tool Box Pro 50,000 100,000 08/12/2015 com.sexy.pic Reborn Beauty 50,000 100,000 28/07/2016 com.joy.photo.gp.inter Joy Photo 50,000 100,000 02/08/2016 com.fancy.camera.gp.inter Fancy Camera 50,000 100,000 09/08/2016 com.amazing.photo.gp.inter Amazing Photo 50,000 100,000 13/09/2016 com.amazing.camera.ggi Amazing Camera 50,000 100,000 05/01/2017 com.super.wallpaper.gp.inter Super Wallpaper 50,000 100,000 30/08/2016 com.aolw.maoa DD Player 10,000 50,000 13/03/2017 com.bbapcmr.fascinating Fascinating Camera 10,000 50,000 13/04/2017 com.coral.muse Universal Camera 10,000 50,000 13/07/2017 com.cream.lecoa Cream Camera 10,000 50,000 27/03/2017 com.dmeq.oopes Looking Camera 10,000 50,000 23/05/2017 com.dosl.wthre DD Weather 10,000 50,000 23/05/2017 com.fqaf.dlksk Global Weather 10,000 50,000 03/05/2017 com.ivxz.ykvlf Love Fitness 10,000 50,000 23/05/2017 com.jpst.lsyk Pretty Pictures 10,000 50,000 06/04/2017 com.kifb.mifv Cool Wallpapers 10,000 50,000 10/01/2017 com.magic.beautycmr Beauty Camera 10,000 50,000 04/04/2017 com.opaly.nqib Love locker 10,000 50,000 12/05/2017 com.real.stargh Real Star 10,000 50,000 27/02/2017 com.sadcmr.magic Magic Camera 10,000 50,000 14/06/2017 com.scamera.wonder Wonder Camera 10,000 50,000 14/06/2017 com.scmr.funny Funny Camera 10,000 50,000 02/06/2017 com.simon.easy Easy Camera 10,000 50,000 28/02/2017 com.smgft.keyboard Smart Keyboard 10,000 50,000 14/06/2017 com.xnoc.jdvy Travel Camera 10,000 50,000 02/05/2017 com.yiuw.fhly Photo Warp 10,000 50,000 20/01/2017 com.yjmn.vokle Lovely Wallpaper 10,000 50,000 07/07/2017 com.ysyg.wtmca Lattice Camera 10,000 50,000 09/06/2017 fast.bats.chaz Quick Charger 10,000 50,000 08/05/2017 com.upcamera.xgcby Up Camera 10,000 50,000 18/01/2017 com.photo.power.gp Photo Power 10,000 50,000 23/11/2016 com.asdf.fg.hdwallpaper HDwallpaper 10,000 50,000 13/12/2016 com.gb.wonderfulgames Wonderful Games 10,000 50,000 09/04/2016 com.gkt.fileexplorer BI File Manager 10,000 50,000 01/08/2016 com.gkt.wallpapershd Wallpapers HD 10,000 50,000 03/01/2016 com.kevin.beautyvideo Beautiful Video-Edit your Memory 10,000 50,000 22/09/2016 com.newera.beautifulphoto Wonderful Cam 10,000 50,000 12/06/2016 com.next.toolset useful cube 10,000 50,000 30/06/2016 com.ringtone.freshac Ringtone 10,000 50,000 26/11/2015 com.gkt.gamebar Exciting Games 10,000 50,000 15/09/2015 com.replica.adventure.gp Replica Adventure 10,000 50,000 07/07/2016 com.gg.player.gp GG Player 10,000 50,000 12/07/2016 com.love.camera.gp Love Camera 10,000 50,000 20/10/2016 com.oneshot.beautify.gp Oneshot Beautify 10,000 50,000 01/08/2016 com.pretty.camera.gp Pretty Camera 10,000 50,000 18/10/2016 com.hygk.hlhy CuteCamera 5,000 10,000 22/02/2017 com.kkcamera.akbcartoon Cartoon Camera-stylish, clean 5,000 10,000 08/03/2017 com.craft.decorate Art Camera 5,000 7,000 13/08/2017 com.amazing.video.gp Amazing Video 5,000 10,000 16/11/2016 com.fine.photo.gp Fine Photo 5,000 10,000 22/12/2016 com.applocker.coldwar Infinity safe 5,000 10,000 09/09/2016 com.final.horosope Magical Horoscope 5,000 10,000 21/02/2017 com.gp.toolboxche Toolbox 5,000 10,000 28/04/2016 com.prettygirl.newyear Cute Belle 5,000 10,000 12/01/2017 com.roy.cartoonwallpaper CartoonWallpaper 5,000 10,000 06/09/2016 com.thebell.newcentury Ringtone 5,000 10,000 01/08/2016 com.aypx.ygzp Best Camera 1,000 5,000 16/02/2017 com.colorful.locker Colorful Locker 1,000 5,000 09/05/2017 com.hlux.wfsha Light Keyboard 1,000 5,000 21/07/2017 com.ytkue.oprw Safe Privacy 1,000 5,000 07/06/2017 com.qwer.enjoy.enjoywallpaper Enjoy Wallpaper 1,000 5,000 03/11/2016 com.file.manager.gp File Manager 1,000 5,000 13/12/2016 com.highfirst.fancylocker Fancy locker 1,000 5,000 05/01/2017 com.cute.puzzle.gp Cute Puzzle 1,000 5,000 05/10/2016 com.keyboard.smile Smile Keyboard 500 707 16/05/2017 com.owexs.iouert Vitality Camera 100 500 04/07/2017 com.tools.yidian Lock Now 100 500 23/01/2017 com.camera.kfcfancy Fancy Camera 100 500 20/03/2017 com.hhcamera.useful Useful Camera 100 224 06/03/2017 com.owexs.iouert Vitality Camera 100 224 04/07/2017 com.sec.transfer Sec Transfer 100 136 14/03/2017 com.tools.yidian Lock Now 100 500 23/01/2017 com.bpmiddle.oneversion Magic Filter 100 224 21/09/2016 com.funny.video.gp Funny Video 100 500 07/10/2016 com.ads.wowgames Amazing Gamebox 100 224 22/05/2016 com.wtns.superlocker Super locker 10 50 25/04/2017 com.musicg.ckiqp Music Player 1 2 06/04/2017 Total 5,904,511 21,101,567 Source: https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/ Quote