Update 17/02/2014:

All 4 apps have been removed from Google Play. These are the SHA1 hashes belonging to the 4 apps in case any security researchers need them:

b83a180a92fb706e6f120f36cca6ddc43670d55c

fce9824f02f6bfb57c685d85a43d4c5c051cc498

af9429cf93a2a569da72c30bf52e0305d95bb7e8

e8868f6b3e4dd76367840214d881873ec42705a6

************************************

 

Our Panda Mobile Security research team has found a new threat that has infected at least 300,000 people, although that number could be 4 times higher: 1,200,000. All of those malicious apps are downloadable from Google Play:

2431

 

 

 

 

 

 

 

How is it possible that malicious apps are allowed here? Well, it is not the first time that all kind of malware has been able to go through the different filters and being published. However, I think this is a different case and it might stay in Google Play for long… first let me tell you how it works and how it steals your money.

Let’s take one of them, “Dietas para reducir el abdomen”. Once you install the application, you open it and it will start loading:

abdomen_presentacion

Afterwards it will show the following screen:

abdomen_presentacion_2

When you click on “Siguiente” (next) it will offer you to access one of the diets:

abdomen_presentacion_3

Hard to see the cross in the upper-right side of the screen… they want to make sure we click on “Entrar” (Enter). When you click on it a new message will be shown on top of the last screen:

abdomen_terminos_condiciones

Basically they are asking you to accept (“Aceptar”) the terms of service to be able to see the content. But look again at the picture: behind this message it is still the previous screen, however there is a “minor” difference, look at the green button “Entrar”, below there is a small text, completely unreadable, that wasn’t there before. Let’s zoom the image a bit:

zoom

These are the terms of service you are accepting if you click on “Aceptar”, where they say you will be subscribed to a service to obtain contents for your mobile phone. Of course that is completely unreadable in its original size.

Once you accept the terms of service and click on enter (“Entrar”) 2 different things happen:

  • The user will see a number of advices to reduce his abdomen.
  • Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.

It is worth mentioning how the telephone number is “acquired”. The usual way for an app to do it is to take this number from the SIM card -there is a function in the Operating System to do that- however due to security issues there are a number of providers that do not store the number there as a safety measure. To circumvent this what this app does is to “steal” it from one of the most popular mobile apps in the world: WhatsApp. As you probably remember, once you open WhatsApp for the first time you are asked for you mobile phone number. The popular messaging app uses this number, among other things, as an identifier to synchronize with WhatsApp:

whatsapp

According to Google Play this app has between 50,000 and 100,000 downloads. The other ones I mentioned do exactly the same. If we add the downloads of all 4 apps, there are between 300,000 and 1,200,000 downloads of all of them. 2 were published in December 2013 and the other 2 in January 2014, so that number of downloads is pretty impressive. Taking a look at the comments made by some users, a number of them are installing it because they are given tokens / credits in some games by installing these fraudulent apps.

They charge a lot of money for this premium SMS services, if we make a conservative estimate of 20$ charged by terminal, we are talking of a huge scam that could be somewhere between 6 and 24 million dollars!

PandaPanda Mobile Security detects this threat, but that is not a big deal: tomorrow we could find hundreds of apps with the same behavior that would not be detected by any antivirus product. Then, what can we do to protect ourselves? If you are a user of Panda Mobile Security, you will know we have “Privacy Auditor” functionality. If you go there, any app with permissions to behave in this malicious and dangerous way will be flagged as “Cost Money” and you can remove it from there. It does not mean that all applications listed there are malicious, you can see how Facebook or WhatApp are there and I wouldn’t call them malicious. Any application with enough permissions to perform the tricks described here will be in this category: if you see an app that you have installed and should not have those permissions remove it right away:

privacy_auditor_cost_money_eng

And whatever security solution you use –if any- please always read the permissions needed to install each application and if among them it is the one letting the app read your SMS and connect to Internet and it is not really needed, do not install it.

As I said earlier they might stay in Google Play for long, as a matter of fact users accept the terms of service, so they might have a legal defense at some level. However not enough to avoid Panda Mobile Security detecting and removing it, that’s for sure.