Google Play apps steal texts and pepper you with unauthorized purchases

reader comments

26 with 16 posters participating

Security researchers have uncovered a batch of Google Play apps that stole users’ text messages and made unauthorized purchases on users’ dime.

The malware, which was hidden in eight apps that had more than 700,000 downloads, hijacked SMS message notifications and then made unauthorized purchases, McAfee mobile researchers Sang Ryol Ryu and Chanung Pak said Monday. McAfee is calling the malware Android/Etinu.

User data free for the taking

The researchers said an investigation of the attacker-operated server that controlled infected devices showed it stored all kinds of date from users’ phones, including their mobile carrier, phone number, SMS messages, IP address, country, and network status. The server also stored auto-renewing subscriptions, some of which looked like this:

No joke

The malware is reminiscent, if not identical, to a prolific family of Android malware known as Joker, which also steals SMS messages and signs up users for pricey services.

“The malware hijacks the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission,” the researchers wrote referring to Etinu. “Like a chain system, the malware then passes the notification object to the final stage. When the notification has arisen from the default SMS package, the message is finally sent out using WebView JavaScript Interface.”

While the researchers say that Etinu is a malware family distinct from Joker, security software from Microsoft, Sophos, and other companies use the word Joker in their detection names of some of the newly discovered malicious apps. Etinu’s decryption flow and use of multi-stage payloads are also similar.

The apps and corresponding cryptographic hashes are:

Some of the apps look like this:

The researchers said they reported the apps to Google, and the company removed them.