Google has taken increasingly sophisticated steps to reserve malicious apps outside of Google Play. But a new round of removals involving about 200 apps and more than 10 million potential victims shows that this long-running problem is still far from resolved — in which case, potentially costing users hundreds of millions of dollars.
Researchers from mobile security company Zimperium say that Extensive scam campaign It has infected Android since November 2020. As is often the case, attackers have managed to infiltrate seemingly benign apps like “Handy Translator Pro”, “Heart Rate and Pulse Tracker” and “Bus – Metrolis 2021” in Google Play as fronts for something much more sinister. After downloading a malicious app, the victim receives a flood of notifications that, for five hours, prompt them to “confirm” their phone number to claim the prize. The “prize” claim page loads through an in-app browser, and is a common technique for keeping malicious pointers out of the app’s code itself. Once the user entered their numbers, the attackers registered it for a recurring monthly fee of about $42 through the Premium Wireless Billing SMS Services feature. It is a mechanism that usually allows you to pay for digital services or, for example, send money to a charity via text message. In this case, he went directly to the scammers.
Techniques are common in malicious Play Store apps, and Premium SMS fraud In particular it is a notorious issue. But the researchers say it is significant that the attackers were able to tie these known methods together in a way that is still very effective – and in staggering numbers – even as Google continues to improve Android security and Play Store defenses.
“This is an impressive delivery of scale,” says Richard Mellick, Zimperium’s director of product strategy for endpoint security. “They’ve pushed the full gauntlet of technologies across all categories; these approaches are iterative and proven. And it’s really a bombardment effect when it comes to the amount of applications. One may be successful, the other may not, and that’s okay.”
The operation targeted Android users in more than 70 countries and specifically checked their IP addresses to learn about their geographical regions. The app will display web pages in the primary language of that site to make the experience more compelling. Malware operators were careful not to reuse URLs, making it easier for security researchers to track them. And the content created by the attackers was of high quality, without typos and grammatical errors that could reveal more obvious frauds.
Zimperium is a member of Google Application Defense Alliance, a coalition of third-party companies that help monitor Play Store malware, and the company disclosed the alleged GriftHorse campaign as part of that collaboration. Google says that all identified Zimperium apps have been removed from the Play Store and corresponding app developers have been banned.
However, the researchers point out that the apps – many of which have been downloaded in the hundreds of thousands – are still available through third-party app stores. They also noted that while SMS fraud is an old chestnut, it’s still effective because malicious charges typically don’t show up until the victim’s next wireless bill. If attackers can place their apps on enterprise devices, they can even trick large corporate employees into signing up for a fee that could go unnoticed for years on the corporate phone number.
Although shutting down many apps will slow the GriftHorse campaign for the time being, the researchers stress that new differences always emerge.
These attackers are organized and professional. “They’ve positioned this as a business, and they’re not just going to go ahead,” says Shridhar Mittal, CEO of Zimperium. “I’m sure this wasn’t a one-time thing.”
More great wired stories