Google has made increasingly sophisticated efforts to keep harmful apps off of Google Play over time.
However, a fresh batch of deletions involving about 200 applications and more than 10 million potential victims demonstrates that this long-standing issue is far from resolved, potentially costing users hundreds of millions of dollars.
The enormous scamming campaign has plagued Android since November 2020, according to Zimperium researchers.
The attackers were able to insert seemingly benign apps like “Handy Translator Pro,” “Heart Rate and Pulse Tracker,” and “Bus – Metrolis 2021″ into Google Play as fronts for something more sinister, as they so often do.
A victim who downloaded one of the malicious applications would receive a barrage of notifications every hour, five minutes apart, asking them to confirm their phone number in order to claim a reward. The “prize” claim page was served through an in-app browser, which is a typical way for hackers to avoid traps in the app’s code.
The attackers signed the user up for a monthly recurring charge of about $42 using the premium SMS services feature of wireless bills, which they had already activated. It’s a mechanism that allows you to purchase digital services or, say, send money to a charity via text message. It ended up in the hands of criminals.
The methods have long been used in malicious Play Store programs, and premium SMS fraud in particular is a well-known problem.
But the researchers note that even while Google has been increasing Android security and Play Store defenses, attackers were able to combine these known techniques together in a way that was still quite effective—and at staggering rates—even as Google has improved its Android security and Play Store defenses.
“This is impressive delivery in terms of scale,” says Richard Melick, Zimperium’s director of product strategy for end-point security.
“They pushed out the full gauntlet of techniques across all categories; these methods are refined and proven. And it’s really a carpet-bombing effect when it comes to the number of apps. One might be successful, another might not be, and that’s fine.”
The criminals behind the “Protect My Android” scam used a sophisticated operation to target Android users in over 70 countries and determined their IP addresses for that purpose.
To make the experience more appealing, the application would display webpages in that region’s primary language.
The malware authors took care to avoid reusing URLs, which aid security researchers in tracking them down.
Zimperium is a member of Google’s App Defense Alliance, which includes other third-party firms that collaborate to combat malware on the Play Store.
The GriftHorse campaign was revealed as part of this collaboration. According to Google, all of the applications Zimperium discovered have now been removed from the Play Store, with app developers’ accounts having been terminated.
However, the apps—many of which had millions or even tens of millions of downloads—are still accessible through third-party app stores, according to the researchers.
They also note that while premium SMS fraud is a well-known chestnut, it’s still effective since fraudulent charges generally don’t appear until after a victim has been charged for a second time.
If attackers are able to place their applications on company devices, they may be able to deceive big business employees into signing up for charges that would go unnoticed for years on a corporate phone number. Taking down so many applications may slow down the GriftHorse campaign for the time being, but new variations always emerge.
“These attackers are well-organized and skilled,” Zimperium’s Shridhar Mittal explains. “They’ve established this up as a business; they’re not just going to move on after this. I’m sure it wasn’t a one-time occurrence.”