Panda Security: Identifying New SMS Malware on Google Play
Written by Neil Martin from Panda Security.
Panda Security, The Cloud Security Company, has identified malicious apps on Google Play that can sign users up to premium SMS subscription services without their permission. These new threats have been able to infect at least 300,000 users so far, although the number of malicious downloads could have reached 1,200,000.
“Easy Hairdos”, “Abs Diets”, “Workout Routines” and “Cupcake Recipes” are among the malicious apps available for download on Google Play.
In the case of “Abs Diets”, for example, once the app has been installed and the user has accepted the terms and conditions of use of the service, the following happens: Firstly, the app displays a series of tips to reduce abdominal fat. Secondly, and without the user’s knowledge, the app looks for the phone number of the mobile device, connects to a Web page and signs the victim up to a premium SMS subscription service. However, how do fraudsters obtain the phone number of the device? The number is ‘stolen’ from one of the world’s most popular apps: WhatsApp. As soon as the user opens WhatsApp, the malicious app will get the phone number and save it as part of the data it needs to synchronize the account.
According to data from Google Play, this app has been downloaded by between 50,000 and 100,000 users. The other apps work in exactly the same way, so it is safe to say that the four malicious apps may have infected between 300,000 and 1,200,000 users in total.
“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, £20 paid by each user would result in a huge sum of 6 to 24 million pound stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.
Don’t Get In a Flap Protecting Your Mobile Devices
Regardless of the security solution installed on their devices, users must always read the list of permissions requested by apps before installing them. If an app requires permissions to access the Internet or read SMS messages when there is no need for it, it should not be installed.
The Panda Mobile Security (v1.1) “Privacy Auditor” feature classifies apps with permissions to sign users up for premium SMS services under the “Cost Money” category, from where they can be easily removed.
“Not every app that is included in that category is malicious, as it may need access to calls or SMSs to fulfill its primary function. Having said that, any app with permissions to act in the described manner could be considered dangerous, and if the user sees apps with permissions they should not have, they should remove them immediately”, explained Corrons.
“These apps might stay on Google Play for a long time as, in the end, it is the users themselves who willingly accept the apps’ terms of service, an aspect which might be used by fraudsters as a defense. A defense, in any case, not strong enough to prevent our solution Panda Mobile Security from identifying their intentions”, added Corrons.
Since its recent removal from the Google Play store the interest in the “Flappy Bird” app has gone through the roof leading to scammers launching fake “Flappy Bird” apps, identical to the original except they come with additional premium-SMS capabilities. If you are unable to locate “Flappy Bird” then there are a number of interesting alternatives including Sesame Street’s “Flappy Bert” and Fall Out Boy’s “Fall Out Bird”.
To learn more about the product, please click here.