Malicious app BankMirage makes quick appearance in Google Play
Malicious app BankMirage makes quick appearance in Google Play

The AsiaHitGroup Gang earlier this year released its third wave of fraudulent apps into Google Play, this time using a silent background push notification to subscribe their victim to a premium mobile service.

The gang's operation was uncovered by McAfee researchers who noted the appearance of the repackaged app Sonvpay.C in Google Play. The malware was hiding behind 15 different apps that represented themselves as everything from a mobile Wi-Fi hotspot to a QR code reader. So far McAfee believes the malicious apps have been downloaded about 50,000 and could possibly have generated up to $145,000 for AsiaHitGroup.

All those targeted are in Russia, Thailand and Malaysia. The gang is specifically targeting these areas as it takes note of the IP address location and it will terminate the installation if the device is not in one of these three countries.

Google was notified of the problem on April 10 and it quickly removed the offending apps, however, McAfee noted the gang again tried to slip in when Despacito for Ringtone was spotted and subsequently removed.

Those who fell for the fake apps while they were live on Google Play did receive an actual working app, but one with Sonvpay employing the onesignal push notification that would appear in the form of a fake update form.

Even if the victim wises up at this point and does not click skip the malware will go ahead and subscribe the person to the premium service using WAP Billing and SMS Fraud.