Google took Increasingly sophisticated steps to keep malicious apps away from Google Play. But a new acquisition with nearly 200 apps and more than 10 million potential victims shows that this long-standing problem is far from solved – and in this case, it could cost users hundreds of millions of dollars.
Researchers at mobile security firm Gimperium say Android has been plagued by massive scandals since November 2020. Often, attackers were able to snatch majestic-looking apps like “Handy Translator Pro”, “Heart Rate and Pulse Tracker,” as well. And “Bus – Metrolis 2021” on Google Play as a front to do something worse. After downloading a malicious app, a victim will receive a flood of five-hour notifications, requesting a reward for “confirming” their phone number. The “Rewards” claim page is loaded through an in-app browser, a common tactic to keep malicious indicators out of the app’s code. Once a user enters their number, attackers sign up for a monthly recurring charge of around $ 42 through their wireless bill premium SMS service feature. This is a process that usually allows you to pay for digital services, or say, send money to a charity via text message. In this case, it went straight to the villains.
Strategies are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious problem. But researchers say it’s important that attackers were able to string these familiar approaches in a way that was still highly effective – and in staggering numbers – even as Google continued to improve its Android security and Play Store security.
“It’s an impressive delivery in terms of scale,” said Richard Melik, director of product strategy at End of Point Security. “They’ve pushed a whole gang of tactics across all departments; These methods are refined and proven. And in terms of the amount of apps it really is a carpet-bombing effect. One may succeed, the other may not, and that’s fine. ”
The operation targets Android users in more than 70 countries and specifically examines their IP addresses to get an idea of their geographic regions. The app will show webpages in the primary language of the place to make the experience more interesting. Malware operators have been careful not to reuse URLs, which could make it easier for security researchers to track them. And the content that the attackers created was high quality, without typo and grammatical errors that could give a clearer scandal.
Gimperium is a member of Google’s App Defense Alliance, an alliance of third-party companies that help keep tabs on the Play Store malware, and as part of that collaboration, the company launches the so-called Griffiths campaign. Google says all apps marked Gimperium have been removed from the Play Store and related app developers have been banned.
However, the researchers noted that apps – many of which had several thousand downloads – are still available through third-party app stores. They also note that while premium SMS fraud is an old chestnut, it is still effective because malicious charges usually do not appear until a victim’s next wireless bill. If attackers can get their apps on enterprise devices, they can even deceive employees of large corporations to sign up for a charge that may remain unknown to the company’s phone number year after year.
Although removing so many apps will slow down the GriftHorse campaign for now, the researchers stressed that new variations are always on the rise.
“These attackers are organized and professional. They have built it as a business, and they are not just moving forward, ”said Sridhar Mittal, CEO of Gymperium. “I’m sure it wasn’t a one-time thing.”
More great cable stories