Hijack SMS notifications by new billing fraud apps on google play
Researchers have uncovered a new set of fraudulent Android apps in the Google Play store that were found to hijack SMS message notifications for carrying out billing fraud.
The apps in question primarily targeted users in Southwest Asia and the Arabian Peninsula, attracting a total of 700,000 downloads before they were discovered and removed from the platform.
The findings were reported independently by cybersecurity firms Trend Micro and McAfee.
“Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases,” researchers from McAfee said in a Monday write-up.
The fraudulent apps belong to the so-called “Joker” (aka Bread) malware, which has been found to repeatedly sneak past Google Play defenses over the past four years, resulting in Google removing no fewer than 1,700 infected apps from the Play Store as of early 2020. McAfee, however, is tracking the threat under a separate moniker named “Etinu.”
The malware is notorious for perpetrating billing fraud and its spyware capabilities, including stealing SMS messages, contact lists, and device information. The malware authors typically employ a technique called versioning, which refers to uploading a clean version of the app to the Play Store to build trust among users and then sneakily adding malicious code at a later stage via app updates, in a bid to slip through the app review process.
The additional code injected serves as the first-stage payload, which masquerades seemingly innocuous .PNG files and establishes with a command-and-control (C2) server to retrieve a secret key that’s used to decrypt the file to a loader. This interim payload then loads the encrypted second payload that’s ultimately decrypted to install the malware.