Connect with us

Hi, what are you looking for?


Mobile & Wireless

2.5 Million Possibly Impacted by New Malware in Google Play

Malware that slips past the Google Bouncer and becomes available via Google Play isn’t something new, but it still comes as a surprise that some malicious programs manage to infect millions through the official store before being caught.

Malware that slips past the Google Bouncer and becomes available via Google Play isn’t something new, but it still comes as a surprise that some malicious programs manage to infect millions through the official store before being caught.

Such is the case with two newly discovered malicious Android apps in the application marketplace, namely CallJam and DressCode. The former had between 100,000 and 500,000 installs at the time it was discovered, while the latter was found in 40 apps in Google Play, with some having between 100,000 and 500,000 installs. Overall, up to 2.5 million users might have downloaded these apps. 

CallJam is a piece of malware that includes a premium dialer to generate fraudulent phone calls, along with a rough adnet designed to display ads to its victims. Hidden inside a game called Gems Chest for Clash Royale and available in Google Play since May, the malware might have infected nearly half a million devices, Check Point researchers say. Google wa informed about the malware this week.

The malware was observed requesting permission from the user before starting to make premium calls. However, Check Point’s security researchers explain that most users usually grant those permissions willingly, some without reading or fully understanding information about the permissions they are granting.

The malware’s command and control (C&C) server provides the targeted premium phone number and information about the length of the call, and CallJam initiates a call using these parameters. The malicious program can also redirect victims to malicious websites and can display fraudulent ads on these websites instead of displaying them directly on the device, thus generating additional fraudulent revenue.

“Since it deceives the users as part of its activity, the game has been able to achieve a relatively high rating. Users are asked to rate the game before it initiates under the false pretense that they will receive additional game currency. This is another reminder that attackers can develop high-reputation apps and distribute them on official app stores, putting devices and sensitive data at risk,” researchers say.

The DressCode malware, however, is an entire different story, starting with the fact that it creates a botnet of infected devices, most probably to generate ad clicks and false traffic. In addition to the 40 apps in Google Play that contain the malicious code, security researchers also discovered 400 other apps on third-party app stores.

Advertisement. Scroll to continue reading.

The Google Play apps, some published in the storefront in April this year, had a combined user base of between 500,000 and 2 million when they were discovered. Google has removed some of these programs soon after being informed on the malware, Check Point reports.

As soon as it has been installed on a device, DressCode initiates communication with the C&C server, which was observed only ordering the malware to “sleep.” Most probably, the attackers were looking to create a larger botnet and then start using it for malicious purposes by turning infected devices into socks proxies and rerouting traffic through them.

DressCode, researchers say, is a piece of malware similar to Viking Horde, which was discovered earlier this year. The created botnet can be used for various purposes, even to infiltrate internal networks. “Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations,” Check Point notes. The researchers published a video detailing how this can be done, along with a list of infected packages found on Google Play.

Related: Mobile Malware Shows Rapid Growth in Volume and Sophistication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.