Mobile Malware Group Hits Google Play a Third Time

Cybercriminals who had targeted Android mobile device users twice over the past two years with fraudulent apps in the Google Play app store are at it again. Earlier this year, the group came out with a third effort, using silent push notifications in the background to subscribe users to a premium-rate mobile service.

According to McAfee researchers, who first uncovered the work of the AsiaHitGroup Gang in 2016, the same group had returned this year with a repackaged and more sophisticated app that illustrates a trend in mobile malware. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"This is becoming very typical of campaigns from the past two years," Irfan Asrar, senior manager of malware and threat research at McAfee, told Security Now in an email. "Mobile malware authors are churning out campaigns much faster than any other period in the fourteen-year history of mobile malware. Despite the fact that the total number of mobile malware samples actually dropped in Q2 by 2 percent, what comes as a shock is that the earning potential per each campaign has increased and continues to increase. In other words, they are scaling fraud, making more money with less samples that are more efficiently distributed."

(Source: Flickr)

The AsiaHitGroup Gang was responsible for the distribution of fake-installer applications dubbed Sonvpay.A, which in 2016 targeted at least 20,000 Android mobile device users in Thailand and Malaysia, charging them for the download of copies of popular applications, according to Carlos Castillo, mobile malware researcher at McAfee.

A year later, the same group returned with Sonvpay.B, a campaign found on Google Play that used IP address geolocation to confirm what country the victim was in. It also included victims from Russia to a WAP billing fraud campaign.

The group returned again in January with Sonvpay.C, which leverages silent background push notifications that trigger a fake update dialog, Castillo wrote in a post on the McAfee Labs blog this week. However, when users start the update, what happens is that they unwittingly subscribe to a premium-rate service that operates primarily through WAP billing.

This way, there is no SMS message required to be sent to premium-rate numbers.

The malware was placed behind 15 apps on the Google Play store that were presented as WiFi hotspots, ringtones, Qrcode scanners, photo editors and a night light. The Sonvpay.C campaign targeted victims in Malaysia and Kazakhastan and, according to Castillo, some of the apps were installed at least 50,000 times.

All told, the malware group could have earned between $60,500 and $145,000 since the first app appeared in the app storage in January.

Google removed the apps after McAfee alerted the company to them in April.

"Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits," Castillo wrote in the blog. "We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world."

(Source: McAfee)

In its Android Security 2017 Year in Review report, McAfee researchers said that toll fraud -- which includes WAP billing fraud -- is among the most prominent potentially harmful apps on Google Play. Attacks on Android devices in general continue to rise. Sophos Labs analysts in their 2018 Mobile Malware Forecast said that there were almost 3.5 million malicious Android apps in 2017, up from just more than 500,000 in 2013. Sophos processed about 10 million Android samples submitted by customers in 2017, up from 8.5 million the year before. (See Smartphones Remain the Most Vulnerable of Endpoints.)

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

It's no surprise that Android devices are targeted, McAfee's Asrar said.

"Because of pricing and ease of availability, Android devices tend to be more attractive to first-time smartphone buyers, especially in emerging Third World countries, hence malware authors tend to gravitate to it globally," he said. "What we have seen with the more successful campaigns is that that they tend to charge a very tiny amount, which gets buried in the monthly bills of all the subscription services such as Netflix, iTunes, Hulu, Spotify, Amazon that people typically subscribe to going unnoticed for several billing cycles until eventually someone goes, 'Wait, that doesn't seem right.' "

The McAfee researcher said that Google has historically acted quickly when issues like the Sonvpay campaigns are brought to it, but added that "we have to recognize we are dealing with highly-funded and innovative adversaries that are quick to adapt their techniques to achieve their objectives."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.