Google
Google

A malware dubbed ExpensiveWall has found its way onto Google Play in what has been claimed to have been the second-biggest outbreak to ever hit Google's platform.

Check Point researchers said the malware is part of a family that may have claimed as many as 21.1 million infections in order to register users to fraudulent premium SMS messages and charge fake services to user accounts without their knowledge.

ExpensiveWall inside wallpaper apps and, according to Google Play data, has infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.

The malware is a new variant of a malware spotted earlier this year in the Google Play store and got its name from one of the apps it uses to infect devices named ‘Lovely Wallpaper.' The new malware sets itself apart using an advanced obfuscation technique used by malware developers to encrypt malicious code that allows the malware to evade Google Play's built-in anti-malware protections.

Checkpoint notified Google of the malware on 10 August after which the malware was promptly removed, however within a few days of the initial report the malware was back up and infected more than 5,000 devices before Google removed the malicious apps again. The malware is also still on the devices of users who downloaded the app and will require manual removal despite no longer being in Google Play.  

While currently, the malware is only designed to generate profit from its victims a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server, researchers warned.

With so much money being flushed into mobile phones and the technology that surrounds them, it's no surprise criminals are targeting their malware efforts in this direction, Javvad Malik, security advocate at AlienVault told SC Media.

 “App store operators like Google, need to be on their toes as mobile phones have become irreplaceable due to their high functionalities,” Malik said. “Because of the increased level of sophistication shown by today's cyber-attackers, app stores need to constantly seek out new and improved ways to step up their security efforts.”

Malik added Google also needs to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly.

This year Q2 saw Google Play jump up a place to the second most prevalent source for blacklisted apps according to RiskIQ's latest mobile threat landscape report, behind the leader, secondary store, AndroidAPKDescargar. 'Feral' apps came third in the top three sources for malicious downloads following analysis of 120 mobile app stores and more than two billion daily scanned resources. The conclusion was that that most app stores fail to adequately protect their users from malicious and fraudulent app downloads.

While trojan and adware download risks remain high, still the top app threats, the report also found that overall there is a 40 percent drop in blacklisted app downloads in global App stores, and although this reflected increased policing by app marketplaces to identify malevolent or suspicious apps, it was primarily attributed to increased awareness by consumers. 

RiskIQ predicts that in future malicious actors will likely migrate to secondary stores as global app players, such as Google and Apple, become more vigilant in removing dangerous software.

“Mobile app security continues to be a challenge, even for the biggest brand names,” said Mike Wyatt,   director of product operations at RiskIQ. “The size, complexity, and dynamic nature of the global app store ecosystem mean that app developers and marketplace providers can never protect all users from cyber-crime. However, they can do more to protect their customers including version control, monitoring for abuse, employing verification techniques, and offering education.”