ExpensiveWall Affects Millions

Google has been battling malicious apps throughout the year, most recently malware was packed in an app called “Lovely Wallpaper”. This new strain of malware was titled “ExpensiveWall”, and hid in the wallpaper application while stealthily racking up premium SMS fees. It further propagates by sending out text messages on your behalf, inviting others to download the same compromised app.

The malware was compressed and encrypted within an SDK used by roughly 50 different apps without being detected by Google. It is still undetermined how much money was actually generated from this SMS scam.

How it Works

ExpensiveWall uses JavaScript along with the enhanced permissions on the infected device to orchestrate the attack. It creates an interactive interface between the app downloaded and a web interface called WebView. This action allows the malware to run in-app controls through this WebView interface including but not limited to sending SMS messages and registering the user devices to premium paid services without notice. The only way for this malware to work is if the user allows full SMS control and communication to its command and control server. This communication will send data about the infected device including IP address, MAC address and Geolocation data.

What can you do to Prevent it?

Simply put, be aware of what permissions you are granting applications when you install them. The fact that millions of other people have downloaded an app and given it good reviews does not mean that it is safe. This app is clear cut proof to that effect. Below are some things that should throw up red flags when installing an application.

• Make calls or texts on your behalf
• Receive SMS
• Read contacts or sensitive device logs
• Communicate with other applications
• Control/disable the keyboard
• Kill processes
• Write secure settings
• Have the ability to authenticate accounts
• Create system services
• Control in-app billing/services
• Accessing GPS data

Some of these may actually be needed in order for certain applications to function properly, but be cautious. If you don’t think that flashlight app needs to make calls on your behalf, don’t install it. Lastly, a solid antivirus with web-browsing and application scanning is a necessity for your mobile device.

A Closer Look at Spyware Apps Distributed by Google

Phone apps and SDK’s

Software Developer kits (SDKs) are used to help developers quickly code their apps with advertising in mind. This way, they can receive advertising payments from their apps. Until recently, Google didn’t allow any changes to SDKs once they were checked into the play store. Enter Chinese SDK creator Lgexin.

Sneaky Lgexin SDK

Lgexin is responsible for more than 500 android apps in the Google Play store being corrupted. Previously they were not able to alter their SDK once it went to market, due to Google’s strict guidelines around SDK implementation. Their workaround for this was to get approval from the dev owner in order to make some small updates to the SDK package and re-submit it into the Google Play store. These small changes were masked and encrypted to try and hide the phone call tracing functionality that was being inserted.

What is the threat?

Lgexin could do whatever they like with the call data they would receive from users of their SDK applications. This call data could be sold to other companies for telemetry purposes or even to the government for global call tracking. Some of the apps include weather apps, teen related games, photo editors, radio and even some fitness apps. With over 100 million downloads of just one of these apps, Lgexin put a lot of people’s privacy and data at risk.

One of the most downloaded apps was called “Lucky Cash- Earn Free Money”, which would prompt the user with a fake google prompt to allow full access to the phone’s call functionality. Millions of users could have unknowingly granted this access. The plugin is called a “phonestatelistener” and can capture the time of the call, the state of the call and the calling number. The data is then sent encrypted to Lgexin’s API for purposes which remain unknown.

What can I do?

From a user perspective, whenever downloading an app from the app store, you should be prompted with any and all permissions that the application will need from your phone in order to operate. This is where common sense needs to come in. First, do you even need or want the app? Do the permissions requested seem reasonable for the app? i.e. does this calculator app really need access to your contact list or pictures? Once you download an app, you shouldn’t be prompted by the play store via pop up for additional permissions. Lastly, be sure to review your apps on occasion and uninstall any that you are no longer using.

Even following the suggestions above is no guarantee. Lgexin has put trusted downloads in a new light and serves as a reminder that you can no longer trust an app based primarily on the number of downloads it has.