Cybersecurity researchers have reported that Google is fighting a massive malware outbreak, and it is considered to be the second biggest outbreak that it has faced so far. Dubbed as ExpensiveWall Android Malware, it has been able to bypass Google’s security measures to penetrate the PlayStore.
The ExpensiveWall Android Malware has been found to be in over 50 apps, (all of which have since been taken off the store now), and as these apps had been popular some of them had massive downloads of approximately 4.2 million times. And some of these apps have been in the store from 2015!
The ExpensiveWall is a variant of a malware that had been found earlier on Google Play. Once these apps had been brought down, the threat actors seem to have released another modified version of the ExpensiveWall malware (malware from the same family), and they seem to have penetrated the Play Store and that had also led to a significant number of infections. Overall it has been estimated that around 21.1 million infections could have occurred.
How did ExpensiveWall penetrate Play Store
Google follows a robust verification and vetting process before it allows any apps on its Play Store. We are led to believe that all apps on the play store can be trusted to be safe from malware. So the question arises: How was the malware able to evade Google’s verification process? The answer is “packed” malware. Malware creators employ an obfuscation technique to hide the malware – it is packed so as to thwart detection, and the technique has been successful.
Impact to Users
Even though the apps have been removed, users who already have the apps on their devices are still at risk. If the user had enabled Google’s PlayProtect then the malicious apps would have been removed, or else the user has to manually remove the infected app.
What does ExpensiveWall Android Malware do
The malware requests for permissions such as – sending SMS and internet access. It uses the internet access permission to pass on critical information about the device such as IMEI, IMSI, MAC and IP addresses to a command-and-control server. The malware uses the sending SMS permission to send premium SMS messages. It also subscribes the user to a host of premium paid services (fake services) without any authorization or approval from the user. The user will come to know that something is wrong only after analyzing the bill.
Embedded Developer Kit
In many cases, it seems that the owners of the “malicious apps” had unknowingly added malware to their app. Developers utilize developer kits that they embed in their apps. In the case of ExpensiveWall, the kit they used turned out to be malicious.
Protection from ExpensiveWall Android Malware
This malware is quite sophisticated and will not be detectable by traditional antivirus solutions. Only an advanced Android Antivirus solution that can block zero-day exploits by analyzing the behavior of the suspected malware in a “contained” environment would be able to thwart such malware. An effective Antivirus for Android devices is definitely necessary.