Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

Android

6/29/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Mobile Malware Group Hits Google Play a Third Time

McAfee researchers found that AsiaHitGroup earlier this year again targeted Android device users in Asia with a bulked-up Sonvpay campaign complete with silent push notifications.

Cybercriminals who had targeted Android mobile device users twice over the past two years with fraudulent apps in the Google Play app store are at it again. Earlier this year, the group came out with a third effort, using silent push notifications in the background to subscribe users to a premium-rate mobile service.

According to McAfee researchers, who first uncovered the work of the AsiaHitGroup Gang in 2016, the same group had returned this year with a repackaged and more sophisticated app that illustrates a trend in mobile malware. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"This is becoming very typical of campaigns from the past two years," Irfan Asrar, senior manager of malware and threat research at McAfee, told Security Now in an email. "Mobile malware authors are churning out campaigns much faster than any other period in the fourteen-year history of mobile malware. Despite the fact that the total number of mobile malware samples actually dropped in Q2 by 2 percent, what comes as a shock is that the earning potential per each campaign has increased and continues to increase. In other words, they are scaling fraud, making more money with less samples that are more efficiently distributed."

The AsiaHitGroup Gang was responsible for the distribution of fake-installer applications dubbed Sonvpay.A, which in 2016 targeted at least 20,000 Android mobile device users in Thailand and Malaysia, charging them for the download of copies of popular applications, according to Carlos Castillo, mobile malware researcher at McAfee.

A year later, the same group returned with Sonvpay.B, a campaign found on Google Play that used IP address geolocation to confirm what country the victim was in. It also included victims from Russia to a WAP billing fraud campaign.

The group returned again in January with Sonvpay.C, which leverages silent background push notifications that trigger a fake update dialog, Castillo wrote in a post on the McAfee Labs blog this week. However, when users start the update, what happens is that they unwittingly subscribe to a premium-rate service that operates primarily through WAP billing.

This way, there is no SMS message required to be sent to premium-rate numbers.

The malware was placed behind 15 apps on the Google Play store that were presented as WiFi hotspots, ringtones, Qrcode scanners, photo editors and a night light. The Sonvpay.C campaign targeted victims in Malaysia and Kazakhastan and, according to Castillo, some of the apps were installed at least 50,000 times.

All told, the malware group could have earned between $60,500 and $145,000 since the first app appeared in the app storage in January.

Google removed the apps after McAfee alerted the company to them in April.

"Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits," Castillo wrote in the blog. "We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world."

In its Android Security 2017 Year in Review report, McAfee researchers said that toll fraud -- which includes WAP billing fraud -- is among the most prominent potentially harmful apps on Google Play. Attacks on Android devices in general continue to rise. Sophos Labs analysts in their 2018 Mobile Malware Forecast said that there were almost 3.5 million malicious Android apps in 2017, up from just more than 500,000 in 2013. Sophos processed about 10 million Android samples submitted by customers in 2017, up from 8.5 million the year before. (See Smartphones Remain the Most Vulnerable of Endpoints.)


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

It's no surprise that Android devices are targeted, McAfee's Asrar said.

"Because of pricing and ease of availability, Android devices tend to be more attractive to first-time smartphone buyers, especially in emerging Third World countries, hence malware authors tend to gravitate to it globally," he said. "What we have seen with the more successful campaigns is that that they tend to charge a very tiny amount, which gets buried in the monthly bills of all the subscription services such as Netflix, iTunes, Hulu, Spotify, Amazon that people typically subscribe to going unnoticed for several billing cycles until eventually someone goes, 'Wait, that doesn't seem right.' "

The McAfee researcher said that Google has historically acted quickly when issues like the Sonvpay campaigns are brought to it, but added that "we have to recognize we are dealing with highly-funded and innovative adversaries that are quick to adapt their techniques to achieve their objectives."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...