Over 750,000 Users Downloaded New Billing Fraud Apps From Google Play Store

Researchers have uncovered a new established of fraudulent Android apps in the Google Engage in shop that ended up uncovered to hijack SMS information notifications for carrying out billing fraud.

The apps in problem mostly specific consumers in Southwest Asia and the Arabian Peninsula, attracting a overall of 700,000 downloads before they were being found and taken off from the platform.

The conclusions ended up documented independently by cybersecurity companies Trend Micro and McAfee.

password auditor

“Posing as photograph editors, wallpapers, puzzles, keyboard skins, and other digital camera-associated applications, the malware embedded in these fraudulent apps hijack SMS information notifications and then make unauthorized purchases,” scientists from McAfee claimed in a Monday publish-up.

The fraudulent apps belong to the so-termed “Joker” (aka Bread) malware, which has been discovered to repeatedly sneak earlier Google Perform defenses about the past 4 many years, resulting in Google eradicating no fewer than 1,700 infected applications from the Engage in Shop as of early 2020. McAfee, nonetheless, is monitoring the danger underneath a independent moniker named “Etinu.”


The malware is notorious for perpetrating billing fraud and its spy ware capabilities, which include thieving SMS messages, speak to lists, and unit data. The malware authors usually make use of a approach referred to as versioning, which refers to uploading a cleanse edition of the application to the Engage in Keep to make rely on between end users and then sneakily introducing destructive code at a later stage by way of application updates, in a bid to slip by means of the app assessment system.

The extra code injected serves as the initial-stage payload, which masquerades seemingly innocuous .PNG files and establishes with a command-and-control (C2) server to retrieve a solution crucial that is used to decrypt the file to a loader. This interim payload then loads the encrypted second payload that is in the long run decrypted to install the malware.

McAfee’s investigation of the C2 servers exposed users’ individual information and facts, together with carrier, mobile phone variety, SMS message, IP deal with, state, community position, together with auto-renewing subscriptions.

password auditor

The listing of nine applications is below –

  • Keyboard Wallpaper (com.studio.keypaper2021)
  • PIP Photograph Maker (com.pip.editor.camera)
  • 2021 Wallpaper and Keyboard (org.my.favorites.up.keypaper)
  • Barber Prank Hair Dryer, Clipper and Scissors (com.super.colour.hairdryer)
  • Photograph Editor (com.ce1ab3.application.image.editor)
  • PIP Digicam (com.strike.digicam.pip)
  • Keyboard Wallpaper (com.daynight.keyboard.wallpaper)
  • Pop Ringtones for Android (com.super.star.ringtones)
  • Great Girl Wallpaper/SubscribeSDK (interesting.girly.wallpaper)

People who have downloaded the apps are urged to check out for any unauthorized transactions though also getting actions to check out out for suspicious permissions requested by apps and meticulously scrutinize applications right before they are put in on the units.

“Judging by how Joker operators consistently make certain the malware’s persistence in Google Engage in even following getting caught quite a few moments, most most likely there are ways [the operators] are profiting from this scheme,” Trend Micro scientists stated.

Fibo Quantum