10 with 10 posters participating
Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns involving about 200 apps and more than 10 million potential victims shows that this longtime problem remains far from solved—and in this case, potentially cost users hundreds of millions of dollars.
Researchers from the mobile security firm Zimperium say the massive scamming campaign has plagued Android since November 2020. As is often the case, the attackers were able to sneak benign-looking apps like “Handy Translator Pro,” “Heart Rate and Pulse Tracker,” and “Bus – Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim would receive a flood of notifications, five an hour, that prompted them to “confirm” their phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious indicators out of the code of the app itself. Once a user entered their digits, the attackers signed them up for a monthly recurring charge of about $42 through the premium SMS services feature of wireless bills. It’s a mechanism that normally lets you pay for digital services or, say, send money to a charity via text message. In this case, it went directly to crooks.
The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious issue. But the researchers say it’s significant that attackers were able to string these known approaches together in a way that was still extremely effective—and in staggering numbers—even as Google has continuously improved its Android security and Play Store defenses.
App Defense Alliance, a coalition of third-party companies that help keep tabs on Play Store malware, and the company disclosed the so-called GriftHorse campaign as part of that collaboration. Google says that all of the apps Zimperium identified have been removed from the Play Store and the corresponding app developers have been banned.
The researchers point out, though, that the apps—many of which had hundreds of thousands of downloads—are still available through third-party app stores. They note also that while premium SMS fraud is an old chestnut, it’s still effective because the malicious charges typically don’t show up until a victim’s next wireless bill. If attackers can get their apps onto enterprise devices, they can even potentially trick employees of large corporations into signing up for charges that could go unnoticed for years on a company phone number.
Though taking down so many apps will slow the GriftHorse campaign for now, the researchers emphasize that new variations always crop up.
“These attackers are organized and professional. They set this up as a business, and they’re not just going to move on,” says Shridhar Mittal, Zimperium’s CEO. “I’m certain this was not a one-time thing.”
This story originally appeared on wired.com.