There has been another round of malicious apps discovered in the official Android Market, with this wave containing hidden functionality to send SMS messages to premium-rate numbers. The apps, which Google has pulled from the Market already, are counterfeit versions of popular games, including Angry Birds.
Researchers at Lookout say they notified Google about the threat, which they had discovered over the course of a few days in the last week. The Android Market has been a frequent target of attackers looking to get their malware or other unwanted software onto the devices of users. There have been several instances in the last year of attackers inserting malware, including the DroidDream Trojan, into seemingly legitimate apps in the market. Some of these incidents have affected thousands of users, but it appears that this latest wave of attacks didn’t affect too many people.
The payload in this case is some functionality hidden deep within the rigged apps that, when activated by users in a long list of European countries, will send messages to a premium rate SMS number, potentially costing the victim quite a bit of money, Lookout researchers said.
“The initial batch appeared as horoscope apps with a fairly hidden ToS indicating charges. The initial application activity presents the user with a single option to continue, which is presumed to be an agreement to premium charges that are buried within layers of less than clear links. The Premium Short Codes used could affect users in Russia, Azerbaijan, Armenia, Georgia, Czech Republic, Poland, Kazakhstan, Belarus, Latvia, Kyrgyzstan, Tajikistan, Ukraine, Estonia as well as Great Britain, Italy, Israel, France, and Germany. North American users were not affected as the fraudulent SMS code is gated on the user’s country (as indicated by their SIM),” Lookout researchers said in a blog post.
Google removed the initial group of nine fraudulent apps from the Market late last week, including copies of popular games such as Cut the Rope and Angry Birds that were rigged to include the SMS functionality. On the weekend, fraudsters inserted another batch of about 13 apps into the Market, Lookout said, which Google also removed after being notified by researchers.
Lookout’s researchers estimated that the latest bunch of apps had been downloaded by more than 14,000 users before they were yanked from the app store.
Attackers have settled on the Android Market as their most favored target for malicious mobile apps, likely because of the open nature of the market and the lack of oversight for apps submitted to it. The various waves of DroidDream malware that have shown up in the Android Market have been downloaded by tens of thousands of victims and there have been other similar attacks in the last year or so, as well.