Over 750,000 Users Downloaded New Billing Fraud Apps From Google Play Store

Cyber Security

Researchers have uncovered a new set of fraudulent Android apps in the Google Play store that were found to hijack SMS message notifications for carrying out billing fraud.

The apps in question primarily targeted users in Southwest Asia and the Arabian Peninsula, attracting a total of 700,000 downloads before they were discovered and removed from the platform.

The findings were reported independently by cybersecurity firms Trend Micro and McAfee.

“Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases,” researchers from McAfee said in a Monday write-up.

The fraudulent apps belong to the so-called “Joker” (aka Bread) malware, which has been found to repeatedly sneak past Google Play defenses over the past four years, resulting in Google removing no fewer than 1,700 infected apps from the Play Store as of early 2020. McAfee, however, is tracking the threat under a separate moniker named “Etinu.”

The malware is notorious for perpetrating billing fraud and its spyware capabilities, including stealing SMS messages, contact lists, and device information. The malware authors typically employ a technique called versioning, which refers to uploading a clean version of the app to the Play Store to build trust among users and then sneakily adding malicious code at a later stage via app updates, in a bid to slip through the app review process.

The additional code injected serves as the first-stage payload, which masquerades seemingly innocuous .PNG files and establishes with a command-and-control (C2) server to retrieve a secret key that’s used to decrypt the file to a loader. This interim payload then loads the encrypted second payload that’s ultimately decrypted to install the malware.

McAfee’s investigation of the C2 servers revealed users’ personal information, including carrier, phone number, SMS message, IP address, country, network status, along with auto-renewing subscriptions.

The list of nine apps is below –

  • Keyboard Wallpaper (com.studio.keypaper2021)
  • PIP Photo Maker (com.pip.editor.camera)
  • 2021 Wallpaper and Keyboard (org.my.favorites.up.keypaper)
  • Barber Prank Hair Dryer, Clipper and Scissors (com.super.color.hairdryer)
  • Picture Editor (com.ce1ab3.app.photo.editor)
  • PIP Camera (com.hit.camera.pip)
  • Keyboard Wallpaper (com.daynight.keyboard.wallpaper)
  • Pop Ringtones for Android (com.super.star.ringtones)
  • Cool Girl Wallpaper/SubscribeSDK (cool.girly.wallpaper)

Users who have downloaded the apps are urged to check for any unauthorized transactions while also taking steps to watch out for suspicious permissions requested by apps and carefully scrutinize apps before they are installed on the devices.

“Judging by how Joker operators repeatedly ensure the malware’s persistence in Google Play even after being caught numerous times, most probably there are ways [the operators] are profiting from this scheme,” Trend Micro researchers said.