sb-nz logo
Story image

ExpensiveWall signs users up to fraudulent SMS services

19 Sep 2017

Some Android users may notice fraudulent charges on their accounts if they have been infected by a new strain of malware dubbed “ExpensiveWall”.

According to research from Check Point, the malware is named after one of the apps it infected: ‘Lovely Wallpaper’. It also affected other apps including X Wallpaper, Color Camera, Horoscope, Sale locker, Wifi Booster, Yes Star, Tool Box Pro, Memory Doctor, Global Weather, Music Player and other apps.

Discovered earlier this year, the malware is suspected to account for 5.9 to up to 21.1 million downloads.

While Google removed the original malware samples from Google Play, days later another variant popped up that infected more than 5000 devices.

While the malware is no longer available on Google Play, Check Point researchers warn that it still remain on victims’ devices.

ExpensiveWall is ‘packed’ to hide from anti-malware protections such as those in Google Play.

The malware registers victims to premium services without their knowledge, sends SMS messages and charges their accounts for the fraudulent services.

“While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool,” researchers Elena Root, Andrey Polkovnichenko and Bohdan Melnykov say in Check Point’s blog.

After being downloaded with compromised apps, ExpensiveWall then requests permissions including internet access. This is important to facilitate communication with its C&C server. It also requests SMS permissions so it is able to send the fraudulent premium SMS messages.

Researchers say that because many legitimate apps request similar permissions, most users unwittingly grant them without permission, especially when apps come from trustworthy sources such as Google Play.

ExpensiveWall also reports data about the device to its C&C server. That data includes location, MAC and IP addresses, IMSI and IMEI.

When the device is switched on or connected, the malware then connects to the C&C server and an embedded WebView URL. It silently clicks on webpage links, subscribing users to premium services and sending SMS messages.

“Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis. Only by examining the malware within context of its operation on a device can successful strategies to block it be created. Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available,” researchers conclude.

Story image
Cybersecurity strategies must involve every part of the organisation - study
In the past year, a third of the breaches incorporated social engineering techniques and the cost of a breach caused by a human error averaged to $3.33 million. More
Story image
Fortinet promises free cybersecurity training until skills gap trend reverses
"We are committed to continue offering the entire catalogue of self-paced Network Security Expert training at no cost until we see the skills gap trend reverse."More
Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
Trend Micro adds cloud-native container security to Cloud One Services Platform
Designed to ease the security of container builds, deployments and runtime workflows, the new service helps developers accelerate innovation and minimise application downtime across Kubernetes environments.More
Story image
Sophos unearths origin of prominent cryptominer
The cryptominer was recently discovered when attackers targeted internet-facing database servers (SQL servers), and the MrbMiner was downloaded and installed.More
Story image
How the editorial team works at Techday: Our tips for you
Preparing your releases in a particular way will not only make our lives easier, but improve the chances of your lead being picked among the masses.More