Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //


09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Mobile Malware Group Hits Google Play a Third Time

McAfee researchers found that AsiaHitGroup earlier this year again targeted Android device users in Asia with a bulked-up Sonvpay campaign complete with silent push notifications.

Cybercriminals who had targeted Android mobile device users twice over the past two years with fraudulent apps in the Google Play app store are at it again. Earlier this year, the group came out with a third effort, using silent push notifications in the background to subscribe users to a premium-rate mobile service.

According to McAfee researchers, who first uncovered the work of the AsiaHitGroup Gang in 2016, the same group had returned this year with a repackaged and more sophisticated app that illustrates a trend in mobile malware. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"This is becoming very typical of campaigns from the past two years," Irfan Asrar, senior manager of malware and threat research at McAfee, told Security Now in an email. "Mobile malware authors are churning out campaigns much faster than any other period in the fourteen-year history of mobile malware. Despite the fact that the total number of mobile malware samples actually dropped in Q2 by 2 percent, what comes as a shock is that the earning potential per each campaign has increased and continues to increase. In other words, they are scaling fraud, making more money with less samples that are more efficiently distributed."

The AsiaHitGroup Gang was responsible for the distribution of fake-installer applications dubbed Sonvpay.A, which in 2016 targeted at least 20,000 Android mobile device users in Thailand and Malaysia, charging them for the download of copies of popular applications, according to Carlos Castillo, mobile malware researcher at McAfee.

A year later, the same group returned with Sonvpay.B, a campaign found on Google Play that used IP address geolocation to confirm what country the victim was in. It also included victims from Russia to a WAP billing fraud campaign.

The group returned again in January with Sonvpay.C, which leverages silent background push notifications that trigger a fake update dialog, Castillo wrote in a post on the McAfee Labs blog this week. However, when users start the update, what happens is that they unwittingly subscribe to a premium-rate service that operates primarily through WAP billing.

This way, there is no SMS message required to be sent to premium-rate numbers.

The malware was placed behind 15 apps on the Google Play store that were presented as WiFi hotspots, ringtones, Qrcode scanners, photo editors and a night light. The Sonvpay.C campaign targeted victims in Malaysia and Kazakhastan and, according to Castillo, some of the apps were installed at least 50,000 times.

All told, the malware group could have earned between $60,500 and $145,000 since the first app appeared in the app storage in January.

Google removed the apps after McAfee alerted the company to them in April.

"Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits," Castillo wrote in the blog. "We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world."

In its Android Security 2017 Year in Review report, McAfee researchers said that toll fraud -- which includes WAP billing fraud -- is among the most prominent potentially harmful apps on Google Play. Attacks on Android devices in general continue to rise. Sophos Labs analysts in their 2018 Mobile Malware Forecast said that there were almost 3.5 million malicious Android apps in 2017, up from just more than 500,000 in 2013. Sophos processed about 10 million Android samples submitted by customers in 2017, up from 8.5 million the year before. (See Smartphones Remain the Most Vulnerable of Endpoints.)

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

It's no surprise that Android devices are targeted, McAfee's Asrar said.

"Because of pricing and ease of availability, Android devices tend to be more attractive to first-time smartphone buyers, especially in emerging Third World countries, hence malware authors tend to gravitate to it globally," he said. "What we have seen with the more successful campaigns is that that they tend to charge a very tiny amount, which gets buried in the monthly bills of all the subscription services such as Netflix, iTunes, Hulu, Spotify, Amazon that people typically subscribe to going unnoticed for several billing cycles until eventually someone goes, 'Wait, that doesn't seem right.' "

The McAfee researcher said that Google has historically acted quickly when issues like the Sonvpay campaigns are brought to it, but added that "we have to recognize we are dealing with highly-funded and innovative adversaries that are quick to adapt their techniques to achieve their objectives."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.