tumblr hit counter

New malware attack through Google Play

Feb 13

Update 17/02/2014:

All 4 apps have been removed from Google Play. These are the SHA1 hashes belonging to the 4 apps in case any security researchers need them:

b83a180a92fb706e6f120f36cca6ddc43670d55c

fce9824f02f6bfb57c685d85a43d4c5c051cc498

af9429cf93a2a569da72c30bf52e0305d95bb7e8

e8868f6b3e4dd76367840214d881873ec42705a6

************************************

 

Our Panda Mobile Security research team has found a new threat that has infected at least 300,000 people, although that number could be 4 times higher: 1,200,000. All of those malicious apps are downloadable from Google Play:

2431

 

 

 

 

 

 

 

How is it possible that malicious apps are allowed here? Well, it is not the first time that all kind of malware has been able to go through the different filters and being published. However, I think this is a different case and it might stay in Google Play for long… first let me tell you how it works and how it steals your money.

Let’s take one of them, “Dietas para reducir el abdomen”. Once you install the application, you open it and it will start loading:

abdomen_presentacion

Afterwards it will show the following screen:

abdomen_presentacion_2

When you click on “Siguiente” (next) it will offer you to access one of the diets:

abdomen_presentacion_3

Hard to see the cross in the upper-right side of the screen… they want to make sure we click on “Entrar” (Enter). When you click on it a new message will be shown on top of the last screen:

abdomen_terminos_condiciones

Basically they are asking you to accept (“Aceptar”) the terms of service to be able to see the content. But look again at the picture: behind this message it is still the previous screen, however there is a “minor” difference, look at the green button “Entrar”, below there is a small text, completely unreadable, that wasn’t there before. Let’s zoom the image a bit:

zoom

These are the terms of service you are accepting if you click on “Aceptar”, where they say you will be subscribed to a service to obtain contents for your mobile phone. Of course that is completely unreadable in its original size.

Once you accept the terms of service and click on enter (“Entrar”) 2 different things happen:

  • The user will see a number of advices to reduce his abdomen.
  • Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.

It is worth mentioning how the telephone number is “acquired”. The usual way for an app to do it is to take this number from the SIM card -there is a function in the Operating System to do that- however due to security issues there are a number of providers that do not store the number there as a safety measure. To circumvent this what this app does is to “steal” it from one of the most popular mobile apps in the world: WhatsApp. As you probably remember, once you open WhatsApp for the first time you are asked for you mobile phone number. The popular messaging app uses this number, among other things, as an identifier to synchronize with WhatsApp:

whatsapp

According to Google Play this app has between 50,000 and 100,000 downloads. The other ones I mentioned do exactly the same. If we add the downloads of all 4 apps, there are between 300,000 and 1,200,000 downloads of all of them. 2 were published in December 2013 and the other 2 in January 2014, so that number of downloads is pretty impressive. Taking a look at the comments made by some users, a number of them are installing it because they are given tokens / credits in some games by installing these fraudulent apps.

They charge a lot of money for this premium SMS services, if we make a conservative estimate of 20$ charged by terminal, we are talking of a huge scam that could be somewhere between 6 and 24 million dollars!

PandaPanda Mobile Security detects this threat, but that is not a big deal: tomorrow we could find hundreds of apps with the same behavior that would not be detected by any antivirus product. Then, what can we do to protect ourselves? If you are a user of Panda Mobile Security, you will know we have “Privacy Auditor” functionality. If you go there, any app with permissions to behave in this malicious and dangerous way will be flagged as “Cost Money” and you can remove it from there. It does not mean that all applications listed there are malicious, you can see how Facebook or WhatApp are there and I wouldn’t call them malicious. Any application with enough permissions to perform the tricks described here will be in this category: if you see an app that you have installed and should not have those permissions remove it right away:

privacy_auditor_cost_money_eng

And whatever security solution you use –if any- please always read the permissions needed to install each application and if among them it is the one letting the app read your SMS and connect to Internet and it is not really needed, do not install it.

As I said earlier they might stay in Google Play for long, as a matter of fact users accept the terms of service, so they might have a legal defense at some level. However not enough to avoid Panda Mobile Security detecting and removing it, that’s for sure.

Post to Twitter

  • (27) Comments

Comments

  1. SomeONe says:

    open it and it will satrt loading

    You made a typo here

  2. NullZone2 says:

    According to Google Play this app has between 50,000 and 100,000 downloads. The other ones I mentioned do exactly the same. If we add the downloads of all 4 apps, there are between 300,000 and 1,200,000 downloads of all of them. 2 were published in December 2013 and the other 2 in January 2013, so that number of downloads is pretty impressive.

    I suspect those rankings might have been artificially increased to make the apps easier to find.

    • Luis Corrons says:

      That could be an option, although after reading the comments I can tell you that there were hundreds, most of them saying they were installing the app to get credits / coins in some game, and a few talking saying it was subscribing your phone to a SMS Premiun service without your knowledge.

Trackbacks

  1. […] Labs technical director Luis Corrons revealed the crime wave in a blog post, warning that the 300,000 figure is a conservative estimate. “Our Panda Mobile Security […]

  2. […] which have to be entered back to end the process and start changing you money,” states the blog post.“This app waits for that specific message; once it arrives, it intercepts its arrival, parses […]

  3. […] code, which have to be entered back to end the process and start changing you money,” states the blog post. “This app waits for that specific message; once it arrives, it intercepts its arrival, parses […]

  4. […] director técnico de Panda Labs. Luis Corrons reveló la ola de crímenes en el blog, advirtiendo que la cifra de 300.000 es una estimación conservadora. “Nuestro equipo de […]

  5. […] code, which have to be entered back to end the process and start changing you money,” states the blog post. “This app waits for that specific message; once it arrives, it intercepts its arrival, parses […]

  6. […] “Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.” states the PandaLabs blog post. […]

  7. […] code, which have to be entered back to end the process and start changing you money,” states the blog post. “This app waits for that specific message; once it arrives, it intercepts its arrival, parses […]

  8. […] “Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.” – PandaLabs blog post.” […]

  9. […] malware apps, identified b&#1091 confidence researchers &#1072t Panda Security, enclosed th&#1077 4 following giveaway […]

  10. […] security research team at PandaLabs recently discovered that there are four apps available for download on the Google Play store that trick users into […]

  11. […] Whatsapp con fines maliciosos, aunque todas ellas se han eliminado de Google Play una vez que Panda Security alertó de […]

  12. […] fines maliciosos, aunque todas ellas se han eliminado de Google Play una vez que Panda Security alertó de […]

  13. […] code, which have to be entered back to end the process and start changing you money,” states the blog post. “This app waits for that specific message; once it arrives, it intercepts its arrival, parses […]

  14. […] malware apps, identified by security researchers at Panda Security, included the four following free […]

  15. […] with a case that we reported some days ago, it lists a series of conditions regarding subscription to a premium-rate SMS service. Yet by […]

  16. […] which have to be entered back to end the process and start changing you money,” states the blog post. “This app waits for that specific message; once it arrives, it intercepts its arrival, […]

  17. […] Meer info leest u in de PandaLabs Blog. […]

  18. […] La percepción de que WhatsApp no es un programa seguro ya viene de lejos (y de hecho Panda Labs ya avisaba de este método hace unas semanas), pero la novedad en este caso es que estos malwares también contemplan la […]

  19. […] percepción de que WhatsApp no es un programa seguro ya viene de lejos (y de hecho Panda Labs ya avisaba de este método hace unas semanas), pero la novedad en este caso es que estos malwares también contemplan la […]

  20. […] director técnico de Panda Labs. Luis Corrons reveló la ola de crímenes en el blog, advirtiendo que la cifra de 300.000 es una estimación conservadora. “Nuestro equipo de […]

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories