A whole lot of rip-off apps hit over 10 million Android units
Enlarge / Never put a GriftHorse on your phone.
John Lamparsky | Getty Images
Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns with around 200 apps and more than 10 million potential victims shows that this longstanding problem is far from being resolved – and in which case it will potentially cost users hundreds of millions of dollars.
Researchers at the mobile security firm Zimperium say the massive fraud campaign has plagued Android since November 2020. As is so often the case, the attackers were able to smuggle in good-looking apps such as Handy Translator Pro, Heart Rate and Pulse Tracker. and “Bus – Metrolis 2021” in Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim received a barrage of notifications, five an hour, asking them to “verify” their phone number in order to receive a prize. The “price” request page, which is loaded via an in-app browser, is a common technique for keeping malicious indicators out of the app’s code itself. After a user entered his or her digits, the attackers signed him up for a monthly fee of around $ 42 through Cellular Bills’ premium SMS services. It’s a mechanism that you can usually use to pay for digital services or, for example, send money to a charity via SMS. In this case it went straight to crooks.
The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious problem. However, the researchers say that the attackers succeeded in stringing these known approaches together in a way that was still extremely effective – and in staggering numbers – despite the fact that Google has continuously improved its Android security and Play Store protection.
“This is an impressive feat in terms of size,” said Richard Melick, Zimperium’s director of product strategy for Endpoint Security. “You challenged the full glove of techniques in all categories; these methods are refined and proven. And it’s really a carpet bomb effect when it comes to the number of apps. One may be successful, another may not, and that’s fine. “
The operation targeted Android users in more than 70 countries and specifically checked their IP addresses to get a feel for their geographic regions. The app would display web pages in the primary language of that location to make the experience more engaging. The malware operators have taken care not to reuse URLs, which can make tracking easier for security researchers. And the content generated by the attackers was of high quality, with no typing and grammatical errors that can reveal more obvious scams.
Zimperium is a member of Google’s App Defense Alliance, a coalition of third-party companies that help monitor Play Store malware, and the company launched the GriftHorse campaign as part of that collaboration. According to Google, all apps identified by Zimperium have been removed from the Play Store and the corresponding app developers have been blocked.
However, the researchers point out that the apps – many of which had hundreds of thousands of downloads – are still available through third-party app stores. They also find that while premium SMS scam may be an old chestnut, it is still effective as the malicious charges typically don’t show up on a victim’s next cell phone bill. If attackers can get their apps onto corporate devices, they can potentially trick employees of even large corporations into signing up for charges that can go unnoticed for years on a company phone number.
Although shutting down so many apps will slow down the GriftHorse campaign for now, the researchers stress that new variations keep popping up.
“These attackers are organized and professional. They started this as a company and they won’t just keep going, ”says Shridhar Mittal, CEO of Zimperium. “I’m sure it wasn’t a one-time thing.”
This story originally appeared on wired.com.