Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.

The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” ExpensiveWall is a new variant of a malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times.

What makes ExpensiveWall different than its other family members is that it is ‘packed’ – an advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections.

Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store. However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices.

What does ExpensiveWall do?

The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services.

Why is ExpensiveWall dangerous?

While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.

How does ExpensiveWall work?

Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play.

ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI.

Each time the device is switched on, or experiences a connectivity change, the app connects to its C&C server and receives a URL, which it opens in an embedded WebView. This page contains a malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages. The malware initiates the JavaScript code by silently clicking on the links in the webpage, in the same way it clicks on ads in other occasions.

Subscribing victims to paid services

The malware obtains the device’s phone number and uses it to subscribe the user to different paid services, such as the example below:

Sending premium SMS messages

In some cases, the SMS activity takes place without giving the user any notice. In other cases, the malware presents the user with a button called “Continue,” and once the user clicks the button, the malware sends a premium SMS on his behalf. Below is an example of the HTML code containing the embedded JavaScript:

ExpensiveWall on Google Play

The malicious activities did not go unnoticed by the users, as one notes below:

As seen in the image above, many users suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times.

After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.

Users and organizations should be aware that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is yet another example of the immediate need to protect all mobile devices against advanced threats.

How to stay protected

Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and

blocking zero-day malware by using both static and dynamic app analysis. Only by examining the

malware within context of its operation on a device can successful strategies to block it be created.

Users and enterprises should treat their mobile devices just like any other part of their network, and

protect them with the best cybersecurity solutions available.

Check Point customers are protected by SandBlast Mobile, and on the network front by Check Point

Anti-Bot Blade, which provides protection against this threat with the signature:

Trojan.AndroidOS.ExpensiveWall.

Appendix 1: List of Package names and downloads: