According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.
At this year’s I/O, Google announced Play Protect, a user-facing security screening process for apps on Android phones based on the old Verify Apps. Basically, it scans apps you install, comparing their content against known malware components, and notifies you if any potential risks are found. And it turns out, it’s not infallible, as an older “packed” malware package was able to trick it.
Check Point identified a “packed” malware they’re calling ExpensiveWall, after an app containing the malware called “Lovely Wallpaper.” It surreptitiously registers users for premium services via SMS, charging their accounts for services they don’t want, and which the malware creators profit from.
However, according to Check Point, the malware could be used for even more dangerous actions like data theft or remotely capturing media. To oversimplify the process: apps with ExpensiveWall request internet and SMS permissions, connect to a remote server at regular intervals, and run what is sent to it by the server in an embedded WebView.
If you follow Android security, this might all sound a bit familiar, and that’s because it’s basically identical to another piece of malware discovered earlier this year. According to Check Point, Play Protect was configured to detect this malware previously, but it’s now been “packed” to fool the existing checks.
Packing, in this instance, is effectively another name for obfuscation, which is a method used by software developers to hide the intended functionality of a piece of software. The obfuscation in this case was significant enough to fool the automated systems in Google’s Play Protect, to the tune of 5 to 20 million infections across all the affected apps on Google Play.
Check Point made no mention of communications to Google about this new malware variant, but I expect that the offending applications will be removed, and that Play Protect will be updated to catch the “packed” malware. But it’s probably just a matter of time until more obfuscated malware like ExpensiveWall discovered.
With this latest success for the crooks, it’s apparent Google still has work to do to cut off fraudsters exploiting Android’s openness.