A number of fake Android apps in the Google Play store were found by researchers. The apps hijack SMS message notifications to make unauthorized purchases.
The apps were detected both by Trend Micro and McAfee, and since then have been removed from the store. But before being removed, the apps have been downloaded 700,000 times.
The apps primarily targeted users in Southwest Asia and the Arabian Peninsula.
“Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases,” researchers from McAfee said in a Monday write-up.
The fraudulent apps belong to the so-called “Joker” type (McAfee also calls it Etinu).
In the past four years, Google removed over 1,700 infected apps from the Play Store.
The malware’s capabilities include stealing SMS messages, contact lists, and device information. Attackers also use a technique called versioning when they upload a benign app to the Play Store and at a later stage, add malicious code via app update in a bid to slip through Google’s app review process.
Attackers deliver the first-stage payload in innocuous .PNG files. The script establishes a connection with the attackers’ command-and-control (C2) server to retrieve a secret key that will decrypt the file to a loader. After a chain of downloads and decrypting, the malware is installed.
Attackers successfully had stolen users’ personal information, including carrier, phone number, SMS message, network status, IP address, country, and subscriptions.
The nine rogue apps are:
- Keyboard Wallpaper (com.studio.keypaper2021)
- PIP Photo Maker (com.pip.editor.camera)
- 2021 Wallpaper and Keyboard (org.my.favorites.up.keypaper)
- Barber Prank Hair Dryer, Clipper and Scissors (com.super.color.hairdryer)
- Picture Editor (com.ce1ab3.app.photo.editor)
- PIP Camera (com.hit.camera.pip)
- Keyboard Wallpaper (com.daynight.keyboard.wallpaper)
- Pop Ringtones for Android (com.super.star.ringtones)
- Cool Girl Wallpaper/SubscribeSDK (cool.girly.wallpaper)
After removing the apps and cleaning their devices, users are advised to check for any unauthorized transactions. As a general precaution, users should watch out for suspicious permissions requested by apps and carefully assess the reliability of an app before installing it.