Google is apparently dealing with yet another Android malware outbreak. Over 50 apps were able to skip Google Play Store protections and managed to successfully amass over 21.1 million infections - that's the second biggest malware outbreak according to security researchers.
Researchers at the security firm Check Point revealed in a post earlier today that these apps made charges for fee-based services without the permission or knowledge of users. Over 4.2 million users downloaded these 50 infected apps. While Google quickly removed these after researchers reported them, different apps from the same malware family managed to come back to the official Google Play Store again within days of the removal, infecting more than 5,000 devices.
ExpensiveWall Android malware outbreak "will hit your wallet"
The latest Android malware outbreak is being called the second biggest to have hit the platform. Security researchers are calling this malware family ExpensiveWall, which quietly uploads phone numbers, location data, and unique hardware identifiers to its control servers. This data was then used to sign up unwitting users to premium services and to send fraudulent text messages using the uploaded phone numbers.
It's unclear how much revenue attackers managed to generate from this particular family. "While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server," Check Point researchers wrote in a report.
"Since the malware is capable of operating silently, all of this illicit activity takes place without the victim's knowledge, turning it into the ultimate spying tool."
The malware family uses a common obfuscation technique known as packing that enables apps to hide their maliciousness from Google's scanners by compressing or encrypting the executable file before it's uploaded to Play Store. While the technique is old, it is clear that it remains to be successful since the attackers used the same technique to introduce more infected apps after their first batch was removed by the search giant.
Developers unwittingly added the Android malware in their apps
Check Point believes that the Android app developers unwittingly distributed ExpensiveWall through their apps by using a developer kit called gtk that developers embed into their own apps. At this point, it looks like developers weren't aware if they were including malicious behavior in their apps.
Google's mobile operating system remains vulnerable to malware outbreak despite the company introducing several new security features. Users should remain careful about what apps they are downloading on their devices. Also ensure to have Play Protect enabled in the Google Play app from the Play Protect tab.
Users will likely remain infected even after Google's removal of infected apps until they uninstall these apps. Check Point has shared the complete list of infected apps in today's report (shared below). Google's recently announced Play Protect should also be able to remove malicious apps from infected devices, but that might not happen on older versions of Android or on those where users have disabled Play Protect protection.
ExpensiveWall infected Android apps: