Google has ejected 50 apps from its Google Play store that were harboring mobile malware dubbed ExpensiveWall. The malware, which was downloaded between 1 million to 4.2 million times, sends fraudulent premium SMS messages for fake fee-based services without the knowledge or permission of users, according to Check Point security researchers.
Researchers said the malware was bundled prominently an Android wallpaper app Lovely Wallpaper.
“ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times,” wrote Check Point researchers Elena Root, Andrey Polkovnichenko and Bohdan Melnykov in a technical description posted Thursday.
This latest strain sets itself apart from a previous versions of the malware because of the use of the advanced obfuscation technique called “packed“, which compresses malicious programs and encrypts them in order to avoid detection.
Google was notified of the malware-tainted apps on Aug. 7 and removed them. However, the malware reemerged on Google Play days later on a new unidentified app, according to researchers. More than 5,000 additional devices were infected before it was removed four days later, Check Point said.
While this latest infiltration impacted an estimated 50 apps, Google Play has been battling rogue apps for the entire year. Four messaging apps in the Google Play store containing spyware called SonicSpy were removed last month. In May, malware called Judy was downloaded 36 million times and found in 40 apps. On at least four separate occasions this year Google has had to give malware the boot from Google Play. That malware included Dvmap, SMSVova, Ztorg and also 132 apps infected with malicious iFrames.
Researchers said it’s unclear how much revenue has been generated via ExpensiveWall’s premium SMS scam.
“It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices,” Check Point said.
Once an app with the malware ExpensiveWall is installed it requests several device permissions including internet access – allowing apps to connect to its C&C server – and SMS permissions to register users for paid services and sending premium SMS messages without the users’ knowledge, researchers said. The firm suggests the apps may have also been able to sneak past Google Play security measures because the permissions required for the scam were not unusual and used for appropriate purposes by legitimate apps.
Researchers are warning developers that ExpensiveWall is likely spread to different apps via an SDK called “GTK.”