Story image

ExpensiveWall signs users up to fraudulent SMS services

19 Sep 17

Some Android users may notice fraudulent charges on their accounts if they have been infected by a new strain of malware dubbed “ExpensiveWall”.

According to research from Check Point, the malware is named after one of the apps it infected: ‘Lovely Wallpaper’. It also affected other apps including X Wallpaper, Color Camera, Horoscope, Sale locker, Wifi Booster, Yes Star, Tool Box Pro, Memory Doctor, Global Weather, Music Player and other apps.

Discovered earlier this year, the malware is suspected to account for 5.9 to up to 21.1 million downloads.

While Google removed the original malware samples from Google Play, days later another variant popped up that infected more than 5000 devices.

While the malware is no longer available on Google Play, Check Point researchers warn that it still remain on victims’ devices.

ExpensiveWall is ‘packed’ to hide from anti-malware protections such as those in Google Play.

The malware registers victims to premium services without their knowledge, sends SMS messages and charges their accounts for the fraudulent services.

“While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool,” researchers Elena Root, Andrey Polkovnichenko and Bohdan Melnykov say in Check Point’s blog.

After being downloaded with compromised apps, ExpensiveWall then requests permissions including internet access. This is important to facilitate communication with its C&C server. It also requests SMS permissions so it is able to send the fraudulent premium SMS messages.

Researchers say that because many legitimate apps request similar permissions, most users unwittingly grant them without permission, especially when apps come from trustworthy sources such as Google Play.

ExpensiveWall also reports data about the device to its C&C server. That data includes location, MAC and IP addresses, IMSI and IMEI.

When the device is switched on or connected, the malware then connects to the C&C server and an embedded WebView URL. It silently clicks on webpage links, subscribing users to premium services and sending SMS messages.

“Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis. Only by examining the malware within context of its operation on a device can successful strategies to block it be created. Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available,” researchers conclude.

Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.