Security Experts:

2.5 Million Possibly Impacted by New Malware in Google Play

Malware that slips past the Google Bouncer and becomes available via Google Play isn’t something new, but it still comes as a surprise that some malicious programs manage to infect millions through the official store before being caught.

Such is the case with two newly discovered malicious Android apps in the application marketplace, namely CallJam and DressCode. The former had between 100,000 and 500,000 installs at the time it was discovered, while the latter was found in 40 apps in Google Play, with some having between 100,000 and 500,000 installs. Overall, up to 2.5 million users might have downloaded these apps. 

CallJam is a piece of malware that includes a premium dialer to generate fraudulent phone calls, along with a rough adnet designed to display ads to its victims. Hidden inside a game called Gems Chest for Clash Royale and available in Google Play since May, the malware might have infected nearly half a million devices, Check Point researchers say. Google wa informed about the malware this week.

The malware was observed requesting permission from the user before starting to make premium calls. However, Check Point’s security researchers explain that most users usually grant those permissions willingly, some without reading or fully understanding information about the permissions they are granting.

The malware’s command and control (C&C) server provides the targeted premium phone number and information about the length of the call, and CallJam initiates a call using these parameters. The malicious program can also redirect victims to malicious websites and can display fraudulent ads on these websites instead of displaying them directly on the device, thus generating additional fraudulent revenue.

“Since it deceives the users as part of its activity, the game has been able to achieve a relatively high rating. Users are asked to rate the game before it initiates under the false pretense that they will receive additional game currency. This is another reminder that attackers can develop high-reputation apps and distribute them on official app stores, putting devices and sensitive data at risk,” researchers say.

The DressCode malware, however, is an entire different story, starting with the fact that it creates a botnet of infected devices, most probably to generate ad clicks and false traffic. In addition to the 40 apps in Google Play that contain the malicious code, security researchers also discovered 400 other apps on third-party app stores.

The Google Play apps, some published in the storefront in April this year, had a combined user base of between 500,000 and 2 million when they were discovered. Google has removed some of these programs soon after being informed on the malware, Check Point reports.

As soon as it has been installed on a device, DressCode initiates communication with the C&C server, which was observed only ordering the malware to “sleep.” Most probably, the attackers were looking to create a larger botnet and then start using it for malicious purposes by turning infected devices into socks proxies and rerouting traffic through them.

DressCode, researchers say, is a piece of malware similar to Viking Horde, which was discovered earlier this year. The created botnet can be used for various purposes, even to infiltrate internal networks. “Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations,” Check Point notes. The researchers published a video detailing how this can be done, along with a list of infected packages found on Google Play.

Related: Mobile Malware Shows Rapid Growth in Volume and Sophistication

view counter