Another month, another malware outbreak in Google's Play Store

50 apps get pulled as ExpensiveWall malware runs riot in the store

By Iain Thomson in San Francisco

Posted in Security, 15th September 2017 00:24 GMT

Google has had to pull 50 malware-laden apps from its Play Store after researchers found that virus writers had once again managed to fool the Chocolate Factory's code checking system.

The malware was dubbed ExpensiveWall by Check Point security researchers because it was found in the Lovely Wallpaper app. It carries a payload that registers victims for paid online services and sends premium SMS messages from a user's phone and leaves them to pick up the bill. It was found in 50 apps on the Play Store and downloaded by between 1 million and 4.2 million users.

The malware is a strain that the researchers first spotted in the Play Store in January, but with one crucial difference. This time the authors had encrypted and compressed the malware, making it impossible for Google's automated checking processes to spot.

Once downloaded, the malware asks for permission to access the internet and send and receive SMS messages. It then pings its command and control server with information on the infected handset, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI numbers.

The servers then send the malware a URL, which it opens in an embedded WebView window. It then downloads the attack JavaScript code and begins to clock up bills for the victim. The researchers think the malware came from a software development kit called GTK.

"Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store," the researchers note. "However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later."

Google's comment scanning is as bad as Bouncer

It appears that Google missed warnings about the malware infection. The user comments section of at least one of the infected apps was filled with outraged users noting that it was carrying a malicious payload and it appears that the apps were being promoted on Instagram.

Cases of malware infecting Google's Play Store are becoming depressingly common. Just last month it was banking malware and a botnet controller, in July commercial spyware made it in, advertising spamming code popped up in May (preceded by similar cases in March and April), and there was a ransomware outbreak in January.

By contrast, Apple's App Store appears to do a much better job at checking code, and malware is a rarity in Cupertino's app bazaar. While some developers complain that it can take a long time to get code cleared by Apple, at least the firm is protecting its customers by doing a thorough job, although Apple's small market share also means malware writers tend not to use iOS for their apps.

By contrast, Google's Bouncer automated code-checking software appears to be very easily fooled. Google advised users to only download apps from its Store, since many third-party marketplaces are riddled with dodgy apps, but that advice is getting increasingly untenable.

It's clear something's going to have to change down at the Chocolate Factory to rectify this. A big outbreak of seriously damaging malware could wreak havoc, given Android's current market share, and permanently link the reputation of the operating system with malware, in the same way as Windows in the 90s and noughties. ®

Sign up to our NewsletterGet IT in your inbox daily

31 Comments

More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Malware hidden in vid app is so nasty, victims should wipe their Macs

If you downloaded and installed stuff from Eltima, you are totally screwed

Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

Apple blocks comms-snooping malware

Leaked developer certificate revoked, protection updated

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

Shoddily-set-up Elastisearch hosting point-of-sale malware

Sigh. Admins of free AWS instances just didn't tick the right boxes.

Malware writer offers free trojan to hackers ... with one small drawback

Beware of geeks bearing Cobian RAT gifts

Shopped in Forever 21? There was bank-card-slurping malware in it for, like, forever

For seven months, fashion shop's POSes were real Ps of S

Raspberry Pi sours thanks to mining malware

Change your default user name or Linux.MulDrop.14 will send your Pi down the crypto-mines