Some Android users may notice fraudulent charges on their accounts if they have been infected by a new strain of malware dubbed “ExpensiveWall”.
According to research from Check Point, the malware is named after one of the apps it infected: ‘Lovely Wallpaper’. It also affected other apps including X Wallpaper, Color Camera, Horoscope, Sale locker, Wifi Booster, Yes Star, Tool Box Pro, Memory Doctor, Global Weather, Music Player and other apps.
Discovered earlier this year, the malware is suspected to account for 5.9 to up to 21.1 million downloads.
While Google removed the original malware samples from Google Play, days later another variant popped up that infected more than 5000 devices.
While the malware is no longer available on Google Play, Check Point researchers warn that it still remain on victims’ devices.
ExpensiveWall is ‘packed’ to hide from anti-malware protections such as those in Google Play.
The malware registers victims to premium services without their knowledge, sends SMS messages and charges their accounts for the fraudulent services.
“While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool,” researchers Elena Root, Andrey Polkovnichenko and Bohdan Melnykov say in Check Point’s blog.
After being downloaded with compromised apps, ExpensiveWall then requests permissions including internet access. This is important to facilitate communication with its C&C server. It also requests SMS permissions so it is able to send the fraudulent premium SMS messages.
Researchers say that because many legitimate apps request similar permissions, most users unwittingly grant them without permission, especially when apps come from trustworthy sources such as Google Play.
ExpensiveWall also reports data about the device to its C&C server. That data includes location, MAC and IP addresses, IMSI and IMEI.
When the device is switched on or connected, the malware then connects to the C&C server and an embedded WebView URL. It silently clicks on webpage links, subscribing users to premium services and sending SMS messages.
“Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis. Only by examining the malware within context of its operation on a device can successful strategies to block it be created. Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available,” researchers conclude.