These fake Android apps steal your money when you aren’t looking

If you thought you were immune from hackers when downloading “legit” Android apps from Google Play, then think again. The McAfee Mobile Research team recently discovered a new campaign where at least 15 apps were “re-packaged” to secretly sign up for premium paid services in the background. The list includes Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone.

The campaign is run by the AsiaHitGroup Gang who first appeared in late 2016 to target victims primarily in Thailand and Malaysia. The group used a fake app installer called “Sonvpay.A” that, for a price, pretended to install popular apps delivered outside Google Play. But it secretly subscribed at least 20,000 victims to paid services in the background by sending SMS messages to premium-rate numbers.

But that was only the beginning.

The group then moved on to bigger bucks through Google Play during November 2017 in its second campaign targeting Thailand, Malaysia and Russia. They modified the fake installer, now called “Sonvpay.B,” to serve as full-fledged familiar-but-fake apps listed on Google’s storefront. For this campaign, Sonvpay relied on IP address geolocation to identify the victims’ country of origin. The campaign also used the same SMS method while adding WAP billing — aka direct billing to a mobile carrier — to secretly subscribe victims to premium services.

The group’s third campaign began in January 2018 targeting devices accessing Google Play in Malaysia and Kazakhstan. Instead of creating fake apps, the group bundled legitimate Android apps with “Sonvpay.C,” which uses silent background push notifications to secretly subscribe victims to premium paid services. The apps themselves don’t pose any kind of threat outside wanting permission to access SMS messages. In fact, they act completely normal.

“The subscription operates primarily via WAP billing, which does not require sending SMS messages to premium-rate numbers,” McAfee’s Carlos Castillo reports. “Instead it requires only that users employ the mobile network to access a specific website and automatically click on a button to initiate the subscription process.”

After you install one of these apps, the Sonvpay component receives commands to sign onto premium paid services through push notifications that the device owner never sees. These services are billed directly to the mobile carrier. Even more, there’s a fake “update” component where if the device owner agrees to the update, Sonvpay.C will subscribe to premium services. Even if the user doesn’t agree, the services may show up on the mobile carrier’s bill anyway depending on the command sent through the push notification.

The problem with carrier billing and this type of fraudulent charge is that it’s typically not discovered until the victim receives a monthly statement. These charges are typically subscription-based as well, so victims must figure out how to unsubscribe from the premium service.

When McAfee’s team discovered Qrcode Scanner, Cut Ringtone 2018 and Despacito Ringtone loaded with the Sonvpay.C component, they promptly alerted Google and saw the apps disappear from Google Play. Despacito for Ringtone appeared several days later, once again laced with Sonvpay.C, but was quickly nuked by Google.