Google has taken increasingly sophisticated steps maintain malicious apps outside of Google Play. But a new round of removals involving some 200 apps and more than 10 million potential victims shows that this long-standing problem is still far from resolved, and in this case, it can cost users hundreds of millions of dollars.
Researchers at the mobile security company Zimperium say that massive scam campaign has affected Android since November 2020. As is often the case, attackers were able to infiltrate benign-looking applications such as “Handy Translator Pro”, “Heart Rate and Pulse Tracker” and “Bus – Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, the victim would receive a flood of notifications, five per hour, prompting her to “confirm” her phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious flags out of the app code. Once a user entered their digits, the attackers enrolled them for a recurring monthly charge of approximately $ 42 through the premium SMS services feature of wireless bills. It is a mechanism that normally allows you to pay for digital services or, say, send money to a charity via text message. In this case, it went directly to the criminals.
The techniques are common in malicious Play Store apps and premium SMS fraud in particular, it is a notorious issue. But the researchers say it is significant that attackers were able to tie together these known approaches in a way that was still extremely effective, and in staggering numbers, even as Google has continually improved its Android security and Play Store defenses.
“This is an impressive delivery in terms of scale,” says Richard Melick, Zimperium’s director of product strategy for endpoint security. “They took out the full glove of techniques in all categories; These methods are refined and proven. And it really is a carpet bomb effect when it comes to the number of applications. One may be successful, another may not be, and that’s okay. “
The operation targeted Android users in more than 70 countries and specifically verified their IP addresses to get an idea of their geographic regions. The application would display web pages in the primary language of that location to make the experience more engaging. Malware operators were careful not to reuse URLs, which can make it easier for security researchers to track them. And the content the attackers generated was high-quality, without the typographical and grammatical errors that can reveal more obvious scams.
Zimperium is a member of Google Application Defense Alliance, a coalition of third-party companies that help control Play Store malware, and the company unveiled the so-called GriftHorse campaign as part of that collaboration. Google says that all the apps identified by Zimperium have been removed from the Play Store and the corresponding app developers have been banned.
However, the researchers note that the apps, many of which had hundreds of thousands of downloads, are still available through third-party app stores. They also point out that while premium SMS fraud is an old trick, it’s still effective because malicious charges typically don’t show up until the victim’s next wireless bill. If attackers can push their apps onto business devices, they can even trick employees of large corporations into signing up for charges that could go unnoticed for years on a business phone number.
Although removing so many apps will slow down the GriftHorse campaign for now, the researchers emphasize that new variations are always emerging.
“These attackers are organized and professional. They set this up as a business, and they’re not just going to move on, ”says Shridhar Mittal, CEO of Zimperium. “I’m sure this was not a one-time thing.”
This story originally appeared in wired.com.