Google axed massive Android adfraud botnet Chamois from Play Store
It still remains unclear as to how many devices were infected by the Android malware family before Google took it down. REUTERS/Dado Ruvic/Illustration

A strain of Android malware that sends fraudulent premium SMS messages and charges users' accounts for services without their knowledge was recently found lurking in more than 100 apps on the official Google Play Store. It has been downloaded millions of times.

That's according to researchers at mobile security company Check Point, who have dubbed the malware "ExpensiveWall" after one of the booby-trapped applications.

The malware family it belongs to, first exposed by security firm McAfee back in January, has now reached between 5.9m and 21.1m total downloads, meaning it could be one of the biggest known outbreaks of malware to have ever spread to Android phones and tablets.

Check Point said the malware hijacks devices to send fraudulent SMS messages or sign users up to premium services controlled by the hackers to make money.

The malware was found in apps with names including I Love Fliter (sic), Beautiful Camera, WiFi Booster, Simple Camera, Tool Box Pro and X Wallpaper Pro.

The majority had hundreds of thousands of downloads, and had been uploaded as far back as 2015.

The ExpensiveWall malware alone infected at least 50 apps and was downloaded between 1m and 4.2m times before being successfully removed by Google.

Once downloaded, the malware requests permissions from the victim's device – including SMS sending and an internet connection to connect to the hacker's server. It can also exfiltrate the device's location alongside unique identifiers such as IP, IMEI and IMSI numbers.

It remains unknown how much money the malware's authors have made from the illicit scheme. Google did not immediately respond to a request for comment.

ExpensiveWall is what's known as a "packed" application, meaning it uses an advanced encryption technique to stay hidden from Google's anti-malware protections.

Check Point said that it notified Google about the outbreak on 7 August this year. After the affected apps were removed, however, the hackers uploaded another sample, which was downloaded more than 5,000 times within four days.

Devices still running the apps remain at risk to attack, experts warned.

Based on analysis of the applications' review pages, some of the malicious software had been advertised on Instagram, which could account for the high amount of downloads.

Smartphone apps could levy charges to infected users iStock

Check Point said the malware had the potential to become a much bigger threat to users.

"While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified [...] to capture pictures, record audio, and even steal sensitive data and send the data to a command and control server," the team wrote.

"Since the malware is capable of operating silently, all of this illicit activity takes place without the victim's knowledge, turning it into the ultimate spying tool," it added.

Back in May, Check Point uncovered the malware known as Judy, which had been downloaded up to 36 million times by Android users. The firm at the time branded it "the largest malware campaign found" on the platform but, as usual, Google did not confirm the true number of infections.

It's clear that SMS Trojans like ExpensiveWall remain a big threat for Android users.

"Although SMS Trojans are not as popular as earlier in Android's career, Trojanised apps with injected code to subscribe users to premium services remain an easy way for malware authors to profit in a restricted environment like Google Play," McAfee experts wrote in January.

"Users may think they are paying for a legitimate app while in fact subscribing to a service that needs a specific SMS to make it stop.

"Another risk lies in children downloading, installing, and executing apps, while clicking on confirmation messages that could result in charges."