ExpensiveWall virus infiltrates over 50 Google Play Store apps

Another fatal blow to the Android community

Android suffers another cyber assault

The cyber assault on Android mobile users continues. Since the appearance of Judy malware several months ago, cyber villains seem to have used these past months for their benefit to striking the community with the more menacing ExpensiveWall campaign.

It is called after the title of one of 50 hacked apps which register users to premium services. While the number of affected applications is not high, the number of downloads is astonishing. More than 1 million users are said to be affected by this campaign.

Intriguing features

The times when felons tried to foist in their malicious apps seem have long passed. Now they take bigger risks by hijacking legitimate apps[1]. Thus, ExpensiveWall stands out for its exquisiteness.

One of the key aspects of the threat is its immunity to integrated Google Play store malware detection tools. The fraudsters wrapped the malicious JavaScript code under additional layer and thus granting the malware this privilege.

Before downloading the infection under the disguise of an innocent app, it will ask you for the access to your phone number, Wi-Fi connection, and other usually required aspects. Unfortunately, by allowing it, users only facilitate the activity of malevolent Java script.

The virus connects to remote Command and Control server. Its interface communicates with the one located on WebView[2]. Likewise, Android virus variation can subscribe you to paid services without your consent.

Affected users complain that the malware “costs” them 10 EUR per week. One of such domains victims unwillingly subscribe to is GamiFive.be. Some other corrupted apps are I Love Fliter, Horoscope, Tide Camera, Wifi Booster, Memory Doctor, et al.

Other insidious hacking techniques

While this campaign indeed has a clear resonance to the mobile user community, they should be wary of another one as well.

Kaspersky Lab experts detected the malware dubbed as Xafecopy which benefits from WAP billing feature[3]. It was created to help users pay for the online services from their mobile accounts.

Though few latest mobile models support this feature, the number of older models used by users worldwide is subject to the vulnerability. Interestingly, this version mostly affected Indian users, fewer cases detected in Mexico, Russia and Turkey.

Any way to avoid the malware?

Since it is no longer safe to download apps from Google Play store as malware developers create anti-sandbox malware, it is time for you to take necessary measures:

  • Before downloading mobile app, check what features and information it requires access to
  • Install the mobile version of an anti-virus utility and keep it updated
  • Back up your mobile
About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions