Malware From Google Play Store Infects 700,000 Users

A wave of fraudulent Android apps was downloaded more than 700,000 times from the Google Play Store before being removed, security researchers said.

Targeting users Southwest Asia and the Arabian Peninsula, the apps posed as photo editors, wallpapers, puzzles, keyboard skins and camera-related tools.

But once installed, they would hijack SMS message notifications and then make unauthorised purchases, McAfee said.

In order to bypass Google’s security protections, the scammers first submitted a clean version to the Play Store.

Scam apps containing the Etinu malware. Image credit: McAfee

Unauthorised purchases

Further updates then added progressively malicious features, found McAfee, which calls the malware Etinu.

“The malware embedded in these apps takes advantage of dynamic code loading,” McAfee said in its advisory.

“Encrypted payloads of malware appear in the assets folder associated with the app, using names such as ‘cache.bin’, ‘settings.bin’, ‘data.droid’, or seemingly innocuous ‘.png’ files.”

In order to avoid the need for the SMS read permission, the malware hijacks the Notification Listener to steal incoming SMS messages.

This feature is similar to the Joker Android malware, as described by Trend Micro last month.

Suspicious permissions

The Etinu malware then creates auto-renewing subscriptions without the user’s knowledge.

McAfee said the malware relies on abuse of the Notification Listener permission to carry out its work.

The company said it expects threats that take advantage of Notification Listener “will continue to flourish”.

“It’s important to pay attention to apps that request SMS-related permissions and Notification Listener permissions,” the company said.

“Simply put, legitimate photo and wallpaper apps simply won’t ask for those because they’re not necessary for such apps to run. If a request seems suspicious, don’t allow it.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

2 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

4 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

6 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

7 hours ago