According to the researchers from McAfee, these apps used to depict themselves as photo editors, wallpapers, keyboard skins, puzzles and many other apps related to the camera. Later these applications would hijack the SMS notification by the embedded malware and would start unauthorized purchases from the hacked user. It was found that these fraudulent apps were the property of the commonly known as joker also known as Bread. For the past four years this malware has been successfully able to sneak through the Google Play reviewers, repeatedly as a result, Google took down almost 1700 infected applications at the beginning of the year 2020, with this malware. Currently, McAfee is also tracking down an other potential threat with a different moniker named as Etinu.
This malware is well known for committing frauds related to payments through the spyware capabilities that it holds which includes the ability to steal the SMS messages, device data and information as well the user’s contact list. The developers of this malware uses a method known as versioning that can help them to upload a malware free version of the app in order to gain trust from the Play Store users and once the app is installed, the fraudulent codes are introduced through the updated version of the application later. This is how they manage to slip past the review process.
The additional codes that are introduced as a payload for first stage, which is actually a deception that these codes are harmless, while they are establishing with C2 also known as the command and control in order to revive a hidden key which is used to decode the file. This mid state payload ultimately decrypt and the malware is installed. After investigating the C2 service, it was discovered that all personal information including phone number, SMS messages, IP address , carrier, network status and country was gathered. A list with 9 apps with this malware was also released. Which had names including:
- Keyboard Wallpaper
- 2021 wallpaper and Keyboard
- Barber Prank Hair Dryer, Clipper and Scissors
- PIP Photo maker
- Pop Ringtones for Android
- Picture Editor
- PIP Camera
- Cool Girl Wallpaper
Read next: Users in Major Countries Targeted by A Fake Facebook Messenger Update Scam