PandaLabs security firm has identified malicious Android apps available on Google Play that can sign up users for premium SMS subscription services without user knowledge. The malware has infected at least 300,000 Android devices, although the number of downloads could have reached 1,200,000.
“Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.” states the PandaLabs blog post.
The experts at Panda Labs estimated that the average each victim gets charged by these apps is $20 and considering that overall number of downloads is between 300,000 and 1,200,000, this means that the cyber criminals could have made between $6 million and $24 million.
It’s not the first time that a malware is served via Google Play store, in the past popular banking trojan like Carberp has been spread through the official channel.
Be careful to what you install on your mobile and evaluate the permissions apps need to be installed, they could allow malicious code to cause serious problems.
(Security Affairs – Android, SMS)