A new malware, called “ExpensiveWall”, has affected around 21.1 million Android devices, as identified by Check Point’s mobile threat research team. This malware is said to have bypassed Google Play’s anti-malware protections, including Play Protect, as it came “packed” inside certain applications (primarily wallpaper apps). This means that its developers encrypted it inside a malicious code, thus making it difficult to be detected by the protection checks. Notably, Check Point had notified Google about the malware back on August 7, 2017, but by then, the malware had already affected at least 50 apps on the Play Store. The numbers from Google Play data further suggest that these apps were downloaded somewhere between 1 million and 4.2 million times before they were finally taken down from the Play Store. Moreover, if we take into account the entire family of ExpensiveWall malware, the number of downloads falls somewhere between 5.9 million and 21.1 million.
In itself, ExpensiveWall doesn’t do much, but once an app infected with this malware is granted SMS permissions, the malware sends premium SMS messages and registers the users to other premium services – all without their knowledge. Some infected apps may even ask the permission for internet access which, once granted, allows the app to connect to the malware’s command and control (C&C) servers. This way, the malware can capture pictures, record audio, and even steal sensitive data from its victims. Additionally, this data can also include users’ location, their MAC and IP addresses, their International Mobile Subscriber Identities (IMSIs), and their devices’ International Mobile Equipment Identity (IMEI) numbers.
For the users who downloaded any of the infected apps before they were removed from the Play Store, they will have to manually uninstall those apps from their devices. One of such apps, Lovely Wallpaper, actually received many negative user reviews, as shown below. If you are uncertain about any app, it would be better to check whether or not that app is still available for download on the Play Store. A precautionary measure to stay protected in the future is to read user reviews of any app before downloading it. Once you do download an app, it is wise to pay attention to the permissions (and their relevance to the app) that it requests.
