Hundreds of fraudulent apps affect over 10 million Android devices

Google has taken increasingly sophisticated measures to prevent malicious apps from accessing Google Play. But a new round of deletions involving around 200 apps and more than 10 million potential victims shows that this long-standing problem is far from over and, in this case, could cost users hundreds of millions of dollars.

Researchers from mobile security company Zimperium say the massive scam campaign has affected Android since November 2020. As is often the case, attackers have been able to sneak into seemingly benign apps like “Handy Translator Pro” , “Heart Rate and Pulse Tracker”, and “Bus – Metrolis 2021” in Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim received a flood of notifications, five per hour, prompting them to “confirm” their phone number to claim a prize. The “price” claim page loaded through an in-app browser, a common technique to prevent malicious flags from entering the code of the app itself. Once a user entered their numbers, the attackers entered them for a recurring monthly fee of around $ 42 through the premium SMS services feature of wireless bills. It’s a mechanism that normally allows you to pay for digital services or, say, send money to a charity via text message. In this case, it went straight to the crooks.

The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious problem. But the researchers say it’s important that attackers were able to combine these known approaches in a way that was still hugely effective – and in staggering numbers – even as Google has continually improved its Android security and Play Store defenses.

“This is an impressive delivery in terms of scale,” said Richard Melick, Zimperium’s director of product strategy for endpoint security. “They pushed the full glove of techniques in all categories; these methods are refined and proven. And it really is a carpet bombing effect when it comes to the amount of applications. One can be successful, the other cannot, and that’s fine.

The operation targeted Android users in over 70 countries and specifically checked their IP addresses to get a feel for their geographic regions. The app would display the web pages in the primary language of that location to make the experience more engaging. Malware operators have been careful not to reuse URLs, which can make it easier for security researchers to track them. And the content generated by the attackers was of high quality, without the typos and grammatical errors that can reveal more obvious scams.

Zimperium is a member of Google’s App Defense Alliance, a coalition of third-party companies that help keep tabs on Play Store malware, and the company leaked the so-called GriftHorse campaign as part of that collaboration. Google says all apps identified by Zimperium have been removed from the Play Store and the corresponding app developers have been banned.

The researchers point out, however, that the apps, many of which have been downloaded in the hundreds of thousands, are still available through third-party app stores. They also note that while premium SMS fraud is an old business, it is still effective because malicious accusations usually don’t show up until a victim’s next wireless bill. If attackers can install their apps on corporate devices, they can even potentially trick employees of large companies into subscribing to charges that could go unnoticed for years on a corporate phone number.

While removing so many apps is slowing down the GriftHorse campaign for now, researchers point out that new variations are always appearing.

“These attackers are organized and professional. They created this as a business and they’re not just going to move on, ”said Shridhar Mittal, CEO of Zimperium. “I’m sure it wasn’t a unique thing.”

This story originally appeared on wired.com.