Fraudulent app subscribes users to premium message service

Nov 14, 2014 17:47 GMT  ·  By

A malicious app purporting to act as a downloader for wallpapers, videos and music on Android, has been spotted on Google Play, being available for download for over one year.

The app is an SMS Trojan that asks for permission to send short text and multimedia messages in exchange for downloadable content. Before installation, it does inform the user that charges may apply.

On the surface, there is nothing wrong with this. However, according to Nathan Collier from Malwarebytes, the app, called Thai Fun Content (package name “com.FREE_APPS_435.android”), the charges continue on a regular basis as the user is actually subscribed to a premium service, victims ending up paying $0.37 / €0.30 every day.

Google removed the app from the store just recently

This may not seem like big money, but simple math tells us that 1,000 victims would bring the crooks a revenue of $370 / €297 per day. There are no details about the number of downloads recorded by the app, since it was available for more than a year, chances are the number of victims exceeds 1,000 by far.

Collier says that the fraudulent software had the last update on August 20, 2013 and alleges that this date is also when it was added to the store. On November 13, 2014, the malicious app was still active on Google Play, the researcher said in a blog post.

At the moment, there is no sign of Thai Fun Content in Google’s Android repository, but the fact that it resisted for so long shows that the automated security checks of the marketplace are not 100% efficient.

Google Play app scanning can be fooled

Before the Google I/O conference for developers this summer, Adrian Ludwig, Android security engineer, told journalists that the average user did not need protection from an antivirus solution, stating that the risk reported by the security industry was overstated.

He said that “in practice most people will never see a potentially harmful application from our data.”

Ludwig’s statement stemmed from the belief that the security reports did not reveal the number of actual devices affected by malware coming from an app in Google Play and that the numbers relied on infections from apps stored in third-party repositories that did not curate content.

The presence of this SMS Trojan app in Android store is indeed a rarity, but it does prove that the protection mechanisms for the marketplace can be defeated for long periods of time.