Several Android mobile Trojans are circulating in the wild that surreptitiously sign users up for paid services and take a cut for the scammers from the money that is billed. Many of these are getting around Google Play’s official app store security measures.
Researchers from Kaspersky who have been tracking these most recent so-called “fleeceware” threats for the past several months say the malware is often capable of bypassing bot detection mechanisms on sites for paid services, and can even subscribe unsuspecting mobile device users to the scammers’ own non-existent services.
The malware is often hidden within otherwise benign mobile applications such as healthcare apps, photo editors, and popular games on Google’s Play mobile app store and other stores. The weaponized apps keep resurfacing almost as quickly as they are detected and removed, Kaspersky said.
Many of the applications ask for permission to access the user’s notifications and messages. If those permissions are granted, the malware then intercepts and hijacks messages containing confirmation codes for their subscription, therefore leaving the users unaware they had just been subscribed to a paid service.
In a report, Kaspersky highlights four of the most widely spread Trojans in this category that it has observed in recent months — Jocker (aka Joker), MobOk, GriftHorse.l, and Vesub. The vendor estimates a startling 70% of Android device users had encountered subscription Trojans such as these at some point.
Four of the Worst
Kaspersky identifies MobOk as the most active of the four threats. The malware was first spotted within an infected app on Google Play, but more recently it has been seen getting distributed as a payload of Triada — another mobile Trojan often hidden within preinstalled system apps on some smartphones. Kaspersky says it has observed the malware on the APK Pure Android mobile app store, hidden inside what the vendor described as a widely used modification of WhatsApp Messenger.
Once installed on a system, MobOk works by opening a subscription page to a paid service in an invisible window. If the malware has been granted access to the user’s notification service, it intercepts any confirmation code that the paid service might send to the device and uses that to confirm the subscription. One feature that sets MobOk apart from the other mobile Trojans is its ability to solve CAPTCHAs on subscription sites, Kaspersky says. A plurality of the MobOk infections that the vendor observed were in Russia, followed by India and Indonesia.
Jocker, meanwhile, is malware that Kaspersky recently found hidden within messaging apps, blood pressure monitoring software, document scanning apps, and other products on Google Play. Jocker is a long-known mobile threat that continuously changes up its tactics to continue to infiltrate the official app store.
In many cases scammers download legitimate versions of these apps from Google’s app store, then insert Jocker code into it and re-upload them to the store under a different name, Kaspersky says. The malware was coded to remain dormant during Google’s app vetting process but to become active when the application goes live. Like MobOk, Jocker too is designed to intercept text messages or notifications containing confirmation codes and using them to sign users up for paid subscription services without their knowledge.
The current version of the malware uses a staged download process — involving four files — to install the final component of the malware on end-user systems. It adopted the technique to try to avoid malware-detection mechanisms, Kaspersky notes. Researchers from the company observed the malware being used most frequently against Android users in Saudi Arabia, Poland, and Germany.
Vesub, meanwhile, is mobile malware that Android users can encounter on unofficial app stores. The malware is hidden within spoofed versions of popular game apps that actually contain no legitimate functionality. When installed, the malware straightaway attempts to start subscribing users to paid services, while all that a user sees is a window suggesting that the app is still loading. Like most subscription Trojans, Vesub works only if it has been granted permission to access text messages or notifications. Kaspersky found the malware to be predominant in Egypt, Thailand, and Malaysia.
And finally, GriftHorse.l is different from the other malware in that it subscribes users to the malware author’s own paid services, such as apps that promise to take users on a weight-loss plan for a fee. Users who sign up for these plans often do so without realizing that they are signing up for a service with periodic payments and automatic billing, Kaspersky says.
Ioannis Gasparis, staff security intelligence researcher at Lookout ,says the malware families that Kaspersky identified are indeed some of the more common threats for mobile users over the past six- to 12 months, Jocker, (which Lookout refers to as Joker), is somewhat older but still very relevant, according to Gasparis.
“In our observation, toll fraud has had a revival over the past one to two years, mainly driven by a small number of malware families that are being pushed aggressively by malicious actors,” he says. “The impact on a victim is mainly financial and depends on the scamming service that the user gets subscribed to by the malware.”
Richard Melick, director of threat reporting at Zimperium, says malware such as these should not be considered a consumer-only threat.
“Organizations of all sizes must start realizing that there is no such thing as a consumer-only threat in the world of BYOD,” he said, in emailed comments. “Each time Jocker and other long-standing malware go through an update, they continue to put critical data, services, and attack surfaces at risk.”
Security teams need to ensure they have the same kind of security architecture for mobile endpoints as they have for traditional devices.
Both Google and Apple have implemented numerous measures over the years to prevent scammers from uploading malware to their respective mobile app stores. While the measures have helped limit malicious apps to a certain extent, security vendors have continued to find malware on these stores on a regular basis. Just last month, for instance, Google scrambled to remove at least six applications masquerading as legitimate antivirus tools that were in reality being used to drop a banking Trojan called SharkBot. Check Point estimated the malware tools were downloaded more than 15,000 times before Google removed them from Google Play.