Hundreds of scandal apps have targeted more than 10 million Android devices.
Google has taken increasingly sophisticated steps to keep malicious apps away from Google Play. But a new round of emissions of nearly 200 apps and more than 10 million potential victims shows that this long-standing problem is far from resolved – and in that case, potentially cost users millions of dollars.
Researchers at mobile security firm Zamprem say that since November 2020, a massive scam has engulfed Android. And “Bus – Metroless 2021” as a front in Google Play is a little too scary. After downloading one of the malicious apps, a victim will receive a flood of five-hour notifications, prompting them to “verify” their phone number to claim a reward. The “Rewards” claim page is loaded through an app browser, a common technique for keeping malicious gestures out of the app’s own code. Once a user enters their numbers, the attackers sign them up for a monthly recurring payment of about $ 42 through the premium SMS services feature of wireless bills. This is a method that usually allows you to pay for digital services or, say, send money to a charity via text message. In that case, it went straight to the thugs.
The technique is common in malicious store apps, and premium SMS fraud in particular is a notorious problem. But researchers say it’s important that attackers were able to combine well-known methods that were still highly effective – and surprisingly large – even as Google upgraded its Android security and Play Store. The defense is constantly improving.
“This is an impressive delivery in terms of scale,” says Remard Melk, Zamprem’s director of product strategy for endpoint security. “They’ve advanced the full gauntlet of techniques in all categories. These methods are better and more proven. And when it comes to the amount of apps, it’s really a carpet bomb effect. One can succeed, the other can’t.” And that’s fine.
The operation targeted Android users in more than 70 countries, specifically checking their IP addresses to gain a sense of their geographical location. The app will display web pages in the local language to make the experience more engaging. Malware operators take care not to reuse URLs, which can make it easier for security researchers to track them down. And the material that the attackers produced was of the highest quality, without the typos and grammatical errors that could dispel more obvious scams.
Zamprem is a member of Google’s App Defense Alliance, an alliance of third-party companies that help keep tabs on the Play Store malware, and the company unveiled the so-called Griffith Horse campaign as part of that collaboration. Google says all apps identified by Zamiprem have been removed from the Play Store and related app developers have been banned.
The researchers pointed out, however, that apps جن many of which had millions of downloads ہیں are still available through third-party app stores. They also note that although premium SMS fraud is an old-fashioned scam, it is still effective because allegations of corruption usually do not appear until a victim’s next wireless bill. If attackers can get their apps on enterprise devices, they could potentially deceive employees of large corporations to sign up for charges that have left the company’s phone number unnoticed for years. ۔
Although the removal of many apps will slow down the Graft Horse campaign for now, the researchers emphasize that new variations are always evolving.
“These attackers are organized and professional. They set it up as a business, and they’re not just moving forward. I’m sure it wasn’t a one-time thing.”
This story was originally published on wired.com.