Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //


09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Mobile Malware Group Hits Google Play a Third Time

McAfee researchers found that AsiaHitGroup earlier this year again targeted Android device users in Asia with a bulked-up Sonvpay campaign complete with silent push notifications.

Cybercriminals who had targeted Android mobile device users twice over the past two years with fraudulent apps in the Google Play app store are at it again. Earlier this year, the group came out with a third effort, using silent push notifications in the background to subscribe users to a premium-rate mobile service.

According to McAfee researchers, who first uncovered the work of the AsiaHitGroup Gang in 2016, the same group had returned this year with a repackaged and more sophisticated app that illustrates a trend in mobile malware. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"This is becoming very typical of campaigns from the past two years," Irfan Asrar, senior manager of malware and threat research at McAfee, told Security Now in an email. "Mobile malware authors are churning out campaigns much faster than any other period in the fourteen-year history of mobile malware. Despite the fact that the total number of mobile malware samples actually dropped in Q2 by 2 percent, what comes as a shock is that the earning potential per each campaign has increased and continues to increase. In other words, they are scaling fraud, making more money with less samples that are more efficiently distributed."

(Source: Flickr)
(Source: Flickr)

The AsiaHitGroup Gang was responsible for the distribution of fake-installer applications dubbed Sonvpay.A, which in 2016 targeted at least 20,000 Android mobile device users in Thailand and Malaysia, charging them for the download of copies of popular applications, according to Carlos Castillo, mobile malware researcher at McAfee.

A year later, the same group returned with Sonvpay.B, a campaign found on Google Play that used IP address geolocation to confirm what country the victim was in. It also included victims from Russia to a WAP billing fraud campaign.

The group returned again in January with Sonvpay.C, which leverages silent background push notifications that trigger a fake update dialog, Castillo wrote in a post on the McAfee Labs blog this week. However, when users start the update, what happens is that they unwittingly subscribe to a premium-rate service that operates primarily through WAP billing.

This way, there is no SMS message required to be sent to premium-rate numbers.

The malware was placed behind 15 apps on the Google Play store that were presented as WiFi hotspots, ringtones, Qrcode scanners, photo editors and a night light. The Sonvpay.C campaign targeted victims in Malaysia and Kazakhastan and, according to Castillo, some of the apps were installed at least 50,000 times.

All told, the malware group could have earned between $60,500 and $145,000 since the first app appeared in the app storage in January.

Google removed the apps after McAfee alerted the company to them in April.

"Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits," Castillo wrote in the blog. "We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world."

(Source: McAfee)
(Source: McAfee)

In its Android Security 2017 Year in Review report, McAfee researchers said that toll fraud -- which includes WAP billing fraud -- is among the most prominent potentially harmful apps on Google Play. Attacks on Android devices in general continue to rise. Sophos Labs analysts in their 2018 Mobile Malware Forecast said that there were almost 3.5 million malicious Android apps in 2017, up from just more than 500,000 in 2013. Sophos processed about 10 million Android samples submitted by customers in 2017, up from 8.5 million the year before. (See Smartphones Remain the Most Vulnerable of Endpoints.)

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

It's no surprise that Android devices are targeted, McAfee's Asrar said.

"Because of pricing and ease of availability, Android devices tend to be more attractive to first-time smartphone buyers, especially in emerging Third World countries, hence malware authors tend to gravitate to it globally," he said. "What we have seen with the more successful campaigns is that that they tend to charge a very tiny amount, which gets buried in the monthly bills of all the subscription services such as Netflix, iTunes, Hulu, Spotify, Amazon that people typically subscribe to going unnoticed for several billing cycles until eventually someone goes, 'Wait, that doesn't seem right.' "

The McAfee researcher said that Google has historically acted quickly when issues like the Sonvpay campaigns are brought to it, but added that "we have to recognize we are dealing with highly-funded and innovative adversaries that are quick to adapt their techniques to achieve their objectives."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.