Infected apps are secretly stealing money from millions of people

'All of this illicit activity takes place without the victim’s knowledge'

Aatif Sulleyman
Friday 27 October 2017 15:01 BST
Comments
A 3D printed Android logo is seen in front of a displayed cyber code in this illustration taken March 22, 2016
A 3D printed Android logo is seen in front of a displayed cyber code in this illustration taken March 22, 2016 (Reuters)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Malware that secretly charges users for fake services has been downloaded by millions of people, a new report says.

“ExpensiveWall”, software designed to cheat users out of their money without them realising, was hidden in at least 50 apps in the Google Play store. A list of apps can be found further down this page.

According to the Check Point researchers who discovered it, ExpensiveWall has been downloaded between one million and 4.2 million times.

“The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services,” the researchers said.

“In some cases, the SMS activity takes place without giving the user any notice. In other cases, the malware presents the user with a button called ‘Continue’, and once the user clicks the button, the malware sends a premium SMS on [their] behalf.”

A number of people who installed ExpensiveWall-infected apps tried to warn other users off downloading them by leaving negative reviews on Google Play. Some of these read:

  • “Scam!!!”
  • “Virus detected”
  • “It is NOTHING like the ad on Instagram tey [sic] lie to you DO NOT DOWNLOAD IT”

“The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times,” said Check Point.

The ExpensiveWall apps were reported to Google on 7 August and removed from the Play store.

However, Check Point says more infected apps were made available to download on Google Play “within days”. These were taken down four days later.

Cyber-attack: MalwareTech on how he "accidentally" halted the spread of the ransomware

The ExpensiveWall apps requested a number of permissions from users after being downloaded, including internet and SMS access.

These are fairly common permissions that most users wouldn’t think twice about granting, but allowed ExpensiveWall to operate.

However, Check Point says it could have caused a lot more damage.

“While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server,” it said.

“Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.”

Check Point says ExpensiveWall is a new variant of a malware found on Google Play earlier this year by McAfee, and says “the entire malware family” has been downloaded between 5.9 million and 21.1 million times.

If you downloaded an ExpensiveWall-infected app, you should delete it immediately. Check Point has listed the following apps online:

  • I Love Fliter
  • Tool Box Pro
  • X WALLPAPER
  • Horoscope
  • X Wallpaper Pro
  • Beautiful Camera
  • Color Camera
  • Love Photo
  • Tide Camera
  • Charming Camera
  • Horoscope
  • DIY Your Screen
  • Ringtone
  • ดวง 12 ราศี Lite
  • Safe locker
  • Wifi Booster
  • Cool Desktop
  • useful cube
  • Tool Box Pro
  • Useful Desktop
  • ดวง 12 ราศี Lite
  • Horoscope2.0
  • Yes Star
  • Shiny Camera
  • Simple Camera
  • Smiling Camera
  • Universal Camera
  • Amazing Toolbox
  • Easy capture
  • Memory Doctor
  • Tool Box Pro
  • Reborn Beauty
  • Joy Photo
  • Fancy Camera
  • Amazing Photo
  • Amazing Camera
  • Super Wallpaper
  • DD Player
  • Fascinating Camera
  • Universal Camera
  • Cream Camera
  • Looking Camera
  • DD Weather
  • Global Weather
  • Love Fitness
  • Pretty Pictures
  • Cool Wallpapers
  • Beauty Camera
  • Love locker
  • Real Star
  • Magic Camera
  • Wonder Camera
  • Funny Camera
  • Easy Camera
  • Smart Keyboard
  • Travel Camera
  • Photo Warp
  • Lovely Wallpaper
  • Lattice Camera
  • Quick Charger
  • Up Camera
  • Photo Power
  • HDwallpaper
  • Wonderful Games
  • BI File Manager
  • Wallpapers HD
  • Beautiful Video-Edit your Memory
  • Wonderful Cam
  • useful cube
  • Ringtone
  • Exciting Games
  • Replica Adventure
  • GG Player
  • Love Camera
  • Oneshot Beautify
  • Pretty Camera
  • CuteCamera
  • Cartoon Camera-stylish, clean
  • Art Camera
  • Amazing Video
  • Fine Photo
  • Infinity safe
  • Magical Horoscope
  • Toolbox
  • Cute Belle
  • CartoonWallpaper
  • Ringtone
  • Best Camera
  • Colorful Locker
  • Light Keyboard
  • Safe Privacy
  • Enjoy Wallpaper
  • File Manager
  • Fancy locker
  • Cute Puzzle
  • Smile Keyboard
  • Vitality Camera
  • Lock Now
  • Fancy Camera
  • Useful Camera
  • Vitality Camera
  • Sec Transfer
  • Lock Now
  • Magic Filter
  • Funny Video
  • Amazing Gamebox
  • Super locker
  • Music Player

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in