At some point, you really have to feel bad for the folks in charge of the Google Play Store. Throughout 2017, there have been numerous incidents in which a large group of users have fallen prey to infected apps from the Play Store. While Google has done its best to react to security warnings from researchers, resulting often in the expulsion of infected apps, more malware-infected applications keep popping up. This is the case yet again with 50 Google Play apps that were recently discovered to possess malware. The difference with this malware, called ExpensiveWall, is that it is merely the latest of multiple versions that managed to find their way onto Google Play apps. Security researchers at Check Point have been monitoring ExpensiveWall malware since they first alerted Google in early August. As they state in a blog post, ExpensiveWall malware has emerged again and managed to have been downloaded at least 1 million times via the 50 apps.
The creators have what seems to be a financial motivation, as Check Point researchers state that the ExpensiveWall malware “sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge.” What differentiates it from the previous incarnations in this malware family is a technique called “packed.” The technique is explained by Check Point researchers as:
An advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections.
A more sinister possibility exists, unfortunately, even though the ExpensiveWall malware has not been spotted doing this yet. According to Check Point, the real danger of ExpensiveWall is the ability for spying due to the permissions the apps it infects require. As the researchers state in their blog:
A similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.
While Google has ejected the apps each time the malware family surfaced, the damage has been immense. In total, researchers estimate that apps with ExpensiveWall malware and its predecessors have been downloaded “between 5.9 million and 21.1 million times.” Considering that the malware has infiltrated the Play Store numerous times, it is only a matter of time before its creators find a new way to enter the marketplace.
One method one can utilize to prevent complex malware attacks like ExpensiveWall is ensuring that your cybersecurity software is capable of protections that employ static and dynamic app analysis. This can possibly block the malware at the source by analyzing its operations and internal code. Other than that, maybe hold off downloading anything from the Google Play Store until the company gets its act together. The malware infections on approved applications for Android devices have been too frequent for me, as a cybersecurity professional, to endorse the Play Store as a safe entity at this time.
Photo credit: Flickr / Roman Boed