Malware family with nearly 21M infections returns to Google Play.
Malware family with nearly 21M infections returns to Google Play.

A malware's been dubbed ExpensiveWall found its way onto Google Play in what has been claimed to have been the second-biggest outbreak to ever hit Google's platform.

Check Point researchers said the malware is part of a family that may have claimed as many as 21.1 million infections in order to register users to fraudulent premium SMS messages and charge fake services to user accounts without their knowledge.

ExpensiveWall inside wallpaper apps and, according to Google Play data, has infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.

The malware is a new variant of a malware spotted earlier this year in the Google Play store and got its name from one of the apps it uses to infect devices named ‘Lovely Wallpaper. The new malware sets itself apart using an advanced obfuscation technique used by malware developers to encrypt malicious code that allows the malware to evade Google Play's built-in anti-malware protections.

Checkpoint notified Google of the malware on Aug. 10 to which the malware was promptly removed, however within a few days of the initial report the malware was back up and infected more than 5,000 devices before Google removed the malicious apps again. The malware is also still on the devices of users who downloaded the app and will require manual removal despite no longer being in Google Play.  

While currently, the malware is only designed to generate profit from its victims a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server, researchers warned.

Continue Reading Below

With so much money being flushed into mobile phones and the technology that surrounds them, it's no surprise criminals are targeting their malware efforts in this direction, Javvad Malik, security advocate at AlienVault told SC Media.

 “App store operators like Google, need to be on their toes as mobile phones have become irreplaceable due to their high functionalities,” Malik said. “Because of the increased level of sophistication shown by today's cyber attackers, app stores need to constantly seek out new and improved ways to step up their security efforts.”

Malik added Google also needs to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores accordingly.