Story image

ExpensiveWall signs users up to fraudulent SMS services

19 Sep 2017

Some Android users may notice fraudulent charges on their accounts if they have been infected by a new strain of malware dubbed “ExpensiveWall”.

According to research from Check Point, the malware is named after one of the apps it infected: ‘Lovely Wallpaper’. It also affected other apps including X Wallpaper, Color Camera, Horoscope, Sale locker, Wifi Booster, Yes Star, Tool Box Pro, Memory Doctor, Global Weather, Music Player and other apps.

Discovered earlier this year, the malware is suspected to account for 5.9 to up to 21.1 million downloads.

While Google removed the original malware samples from Google Play, days later another variant popped up that infected more than 5000 devices.

While the malware is no longer available on Google Play, Check Point researchers warn that it still remain on victims’ devices.

ExpensiveWall is ‘packed’ to hide from anti-malware protections such as those in Google Play.

The malware registers victims to premium services without their knowledge, sends SMS messages and charges their accounts for the fraudulent services.

“While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool,” researchers Elena Root, Andrey Polkovnichenko and Bohdan Melnykov say in Check Point’s blog.

After being downloaded with compromised apps, ExpensiveWall then requests permissions including internet access. This is important to facilitate communication with its C&C server. It also requests SMS permissions so it is able to send the fraudulent premium SMS messages.

Researchers say that because many legitimate apps request similar permissions, most users unwittingly grant them without permission, especially when apps come from trustworthy sources such as Google Play.

ExpensiveWall also reports data about the device to its C&C server. That data includes location, MAC and IP addresses, IMSI and IMEI.

When the device is switched on or connected, the malware then connects to the C&C server and an embedded WebView URL. It silently clicks on webpage links, subscribing users to premium services and sending SMS messages.

“Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis. Only by examining the malware within context of its operation on a device can successful strategies to block it be created. Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available,” researchers conclude.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.