Jump to content
Fi8sVrs

ExpensiveWall: A dangerous ‘packed’ malware on Google Play that will hit your wallet

Recommended Posts

  • Active Members
Posted

whatsapp-telegraph-vulnerability-BlogGra

Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.

The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” ExpensiveWall is a new variant of a malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times.

What makes ExpensiveWall different than its other family members is that it is ‘packed’ – an advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections.

Learn how SandBlast Mobile protects against malware like ExpensiveWall.

Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store. However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

 

Figure-1-435x1024.png

Figure 1: One of the malicious apps containing ExpensiveWall.

It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices.

 

What does ExpensiveWall do?

The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services.

 

Why is ExpensiveWall dangerous?

While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.

 

How does ExpensiveWall work?

Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play.

ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI.

 

Figure-2.png

Figure 2: Clicking functionality used by the ExpensiveWall malware.

 

Each time the device is switched on, or experiences a connectivity change, the app connects to its C&C server and receives a URL, which it opens in an embedded WebView. This page contains a malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages. The malware initiates the JavaScript code by silently clicking on the links in the webpage, in the same way it clicks on ads in other occasions.

 

Subscribing victims to paid services

The malware obtains the device’s phone number and uses it to subscribe the user to different paid services, such as the example below:

Figure-3.png

Figure 3: Code used to obtain phone number.

 

Figure-4.png

Figure 4: A premium service the malware subscribes the user to.

 

Sending premium SMS messages

In some cases, the SMS activity takes place without giving the user any notice. In other cases, the malware presents the user with a button called “Continue,” and once the user clicks the button, the malware sends a premium SMS on his behalf. Below is an example of the HTML code containing the embedded JavaScript:

Figure-5.png

Figure 5: embedded JavaScript responsible for sending SMS messages.

 

ExpensiveWall on Google Play

The malicious activities did not go unnoticed by the users, as one notes below:

Figure-6-1024x745.png

Figure 6: User’s comments on an ExpensiveWall app.

 

As seen in the image above, many users suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times.

See Check Point Research for the complete technical report.

After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.

Users and organizations should be aware that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is yet another example of the immediate need to protect all mobile devices against advanced threats.

 

How to stay protected
Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and
blocking zero-day malware by using both static and dynamic app analysis. Only by examining the
malware within context of its operation on a device can successful strategies to block it be created.
Users and enterprises should treat their mobile devices just like any other part of their network, and
protect them with the best cybersecurity solutions available.

Check Point customers are protected by SandBlast Mobile, and on the network front by Check Point
Anti-Bot Blade, which provides protection against this threat with the signature:
Trojan.AndroidOS.ExpensiveWall.

 

Appendix 1: List of Package names and downloads:

Package Name App Name min max Uploaded to Google Play
com.star.trek I Love Fliter 1,000,000 5,000,000 18/09/2016
com.newac.toolbox Tool Box Pro 500,000 1,000,000 19/10/2015
com.newac.wallpaper X WALLPAPER 500,000 1,000,000 27/09/2015
com.yeahmobi.horoscopeinter Horoscope 500,000 1,000,000 16/03/2015
com.gkt.xwallpaper X Wallpaper Pro 500,000 1,000,000 02/06/2015
com.gwqcv.zsfy Beautiful Camera 100,000 500,000 11/05/2017
com.hdsj.hdey Color Camera 100,000 500,000 16/03/2017
com.lovephoto.gp.inter Love Photo 100,000 500,000 13/03/2017
com.parrot.tidecmr Tide Camera 100,000 500,000 22/03/2017
com.zerg.charmingcmr Charming Camera 100,000 500,000 22/03/2017
com.constellation.prophecy Horoscope 100,000 500,000 30/06/2016
com.desktoptools.screenunsubscribe DIY Your Screen 100,000 500,000 21/07/2016
com.gkt.ringtonegp Ringtone 100,000 500,000 02/06/2015
com.gpthtwo.horoscope ดวง 12 ราศี Lite 100,000 500,000 03/11/2015
com.guard.defend Safe locker 100,000 500,000 17/06/2016
com.newac.wifibooster Wifi Booster 100,000 500,000 04/11/2015
com.newera.desktop Cool Desktop 100,000 500,000 30/06/2016
com.newera.toolbox useful cube 100,000 500,000 12/06/2016
com.pl.toolboxpro Tool Box Pro 100,000 500,000 22/01/2016
com.something.someone Useful Desktop 100,000 500,000 17/09/2016
com.yeahmobi.horoscope ดวง 12 ราศี Lite 100,000 500,000 20/28/2014
com.yeahmobi.horoscopegpadap Horoscope2.0 100,000 500,000 23/03/2015
com.cegqz.uoud Yes Star 50,000 100,000 03/05/2017
com.cmr.shiny Shiny Camera 50,000 100,000 03/05/2017
com.johg.udrad Simple Camera 50,000 100,000 07/07/2017
com.scamera.smiling Smiling Camera 50,000 100,000 07/06/2017
com.cmr.universal Universal Camera 50,000 100,000 16/05/2017
com.gb.toolbox Amazing Toolbox 50,000 100,000 23/03/2016
com.genesis.awesome Easy capture 50,000 100,000 24/10/2016
com.newera.memorydoctor Memory Doctor 50,000 100,000 15/06/2016
com.pl.toolbox Tool Box Pro 50,000 100,000 08/12/2015
com.sexy.pic Reborn Beauty 50,000 100,000 28/07/2016
com.joy.photo.gp.inter Joy Photo 50,000 100,000 02/08/2016
com.fancy.camera.gp.inter Fancy Camera 50,000 100,000 09/08/2016
com.amazing.photo.gp.inter Amazing Photo 50,000 100,000 13/09/2016
com.amazing.camera.ggi Amazing Camera 50,000 100,000 05/01/2017
com.super.wallpaper.gp.inter Super Wallpaper 50,000 100,000 30/08/2016
com.aolw.maoa DD Player 10,000 50,000 13/03/2017
com.bbapcmr.fascinating Fascinating Camera 10,000 50,000 13/04/2017
com.coral.muse Universal Camera 10,000 50,000 13/07/2017
com.cream.lecoa Cream Camera 10,000 50,000 27/03/2017
com.dmeq.oopes Looking Camera 10,000 50,000 23/05/2017
com.dosl.wthre DD Weather 10,000 50,000 23/05/2017
com.fqaf.dlksk Global Weather 10,000 50,000 03/05/2017
com.ivxz.ykvlf Love Fitness 10,000 50,000 23/05/2017
com.jpst.lsyk Pretty Pictures 10,000 50,000 06/04/2017
com.kifb.mifv Cool Wallpapers 10,000 50,000 10/01/2017
com.magic.beautycmr Beauty Camera 10,000 50,000 04/04/2017
com.opaly.nqib Love locker 10,000 50,000 12/05/2017
com.real.stargh Real Star 10,000 50,000 27/02/2017
com.sadcmr.magic Magic Camera 10,000 50,000 14/06/2017
com.scamera.wonder Wonder Camera 10,000 50,000 14/06/2017
com.scmr.funny Funny Camera 10,000 50,000 02/06/2017
com.simon.easy Easy Camera 10,000 50,000 28/02/2017
com.smgft.keyboard Smart Keyboard 10,000 50,000 14/06/2017
com.xnoc.jdvy Travel Camera 10,000 50,000 02/05/2017
com.yiuw.fhly Photo Warp 10,000 50,000 20/01/2017
com.yjmn.vokle Lovely Wallpaper 10,000 50,000 07/07/2017
com.ysyg.wtmca Lattice Camera 10,000 50,000 09/06/2017
fast.bats.chaz Quick Charger 10,000 50,000 08/05/2017
com.upcamera.xgcby Up Camera 10,000 50,000 18/01/2017
com.photo.power.gp Photo Power 10,000 50,000 23/11/2016
com.asdf.fg.hdwallpaper HDwallpaper 10,000 50,000 13/12/2016
com.gb.wonderfulgames Wonderful Games 10,000 50,000 09/04/2016
com.gkt.fileexplorer BI File Manager 10,000 50,000 01/08/2016
com.gkt.wallpapershd Wallpapers HD 10,000 50,000 03/01/2016
com.kevin.beautyvideo Beautiful Video-Edit your Memory 10,000 50,000 22/09/2016
com.newera.beautifulphoto Wonderful Cam 10,000 50,000 12/06/2016
com.next.toolset useful cube 10,000 50,000 30/06/2016
com.ringtone.freshac Ringtone 10,000 50,000 26/11/2015
com.gkt.gamebar Exciting Games 10,000 50,000 15/09/2015
com.replica.adventure.gp Replica Adventure 10,000 50,000 07/07/2016
com.gg.player.gp GG Player 10,000 50,000 12/07/2016
com.love.camera.gp Love Camera 10,000 50,000 20/10/2016
com.oneshot.beautify.gp Oneshot Beautify 10,000 50,000 01/08/2016
com.pretty.camera.gp Pretty Camera 10,000 50,000 18/10/2016
com.hygk.hlhy CuteCamera 5,000 10,000 22/02/2017
com.kkcamera.akbcartoon Cartoon Camera-stylish, clean 5,000 10,000 08/03/2017
com.craft.decorate Art Camera 5,000 7,000 13/08/2017
com.amazing.video.gp Amazing Video 5,000 10,000 16/11/2016
com.fine.photo.gp Fine Photo 5,000 10,000 22/12/2016
com.applocker.coldwar Infinity safe 5,000 10,000 09/09/2016
com.final.horosope Magical Horoscope 5,000 10,000 21/02/2017
com.gp.toolboxche Toolbox 5,000 10,000 28/04/2016
com.prettygirl.newyear Cute Belle 5,000 10,000 12/01/2017
com.roy.cartoonwallpaper CartoonWallpaper 5,000 10,000 06/09/2016
com.thebell.newcentury Ringtone 5,000 10,000 01/08/2016
com.aypx.ygzp Best Camera 1,000 5,000 16/02/2017
com.colorful.locker Colorful Locker 1,000 5,000 09/05/2017
com.hlux.wfsha Light Keyboard 1,000 5,000 21/07/2017
com.ytkue.oprw Safe Privacy 1,000 5,000 07/06/2017
com.qwer.enjoy.enjoywallpaper Enjoy Wallpaper 1,000 5,000 03/11/2016
com.file.manager.gp File Manager 1,000 5,000 13/12/2016
com.highfirst.fancylocker Fancy locker 1,000 5,000 05/01/2017
com.cute.puzzle.gp Cute Puzzle 1,000 5,000 05/10/2016
com.keyboard.smile Smile Keyboard 500 707 16/05/2017
com.owexs.iouert Vitality Camera 100 500 04/07/2017
com.tools.yidian Lock Now 100 500 23/01/2017
com.camera.kfcfancy Fancy Camera 100 500 20/03/2017
com.hhcamera.useful Useful Camera 100 224 06/03/2017
com.owexs.iouert Vitality Camera 100 224 04/07/2017
com.sec.transfer Sec Transfer 100 136 14/03/2017
com.tools.yidian Lock Now 100 500 23/01/2017
com.bpmiddle.oneversion Magic Filter 100 224 21/09/2016
com.funny.video.gp Funny Video 100 500 07/10/2016
com.ads.wowgames Amazing Gamebox 100 224 22/05/2016
com.wtns.superlocker Super locker 10 50 25/04/2017
com.musicg.ckiqp Music Player 1 2 06/04/2017
Total   5,904,511 21,101,567  

 

Source: https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...