More malicious apps in Google Play

During the last few days, the team responsible for Panda Mobile Security, our Android antivirus, has detected a new threat that has so far infected at least 300,000 users, although the true figure could be four times as much, some 1.2 million. The reason? All these malicious apps can be downloaded from Google Play:

According to our colleagues at PandaLabs, this is not the first time an app with malware has been able to evade all filters and be published on the official Android store. Yet this case may be different and these threats could remain in Google Play for some time…

How do these malicious apps work?

Let’s take one as an example, ‘Dietas para reducir el abdomen’ (Diets for a slimmer stomach). When you install and open the app, you see a loading screen:

Then the following screen:

When you click ‘Siguiente’ (Next) you can access one of the diets:

It’s not easy to see the X in the top right corner, as they want to make sure you click ‘Entrar’ (Enter). When you click it, a new message appears on this last screen:

This asks you to accept the terms in order to view the diet. But if you look closely at the screen, you can see the following: the previous screen is still below the message, but there is a ‘small’ difference. If you look just below the ‘Entrar’ button, you can see some gray lines that were not there before. In fact this is a completely illegible text.

So let’s zoom in to see what it says:

These are the service terms and conditions that you supposedly agree to if you click ‘Aceptar’ (Accept). It says that you are going to subscribe to a service to receive exclusive content for your phone. This text is obviously completely illegible in its original form.

Once you accept the terms and conditions of the service and click ‘Entrar’, two different things happen:

– You will see a series of tips on how to get a slimmer stomach.

– Without your knowledge, the app will search for the telephone number of the device and go to a website to sign up to a premium-rate SMS service. Activating the service requires confirmation, so it sends an SMS to the phone number with a PIN code, which has to be entered on the website to complete the process and to start charging you money. The app intercepts the SMS, reads it and confirms your subscription to the service. It then deletes the message, as if it never existed. All of this is done without your realizing.

Statistics of the fraud

According to data provided by Google Play, there have been between 50,000 and 100,000 downloads of this app. All the apps mentioned above do exactly the same thing. The total number of downloads of the four apps is between 300,000 and 1.2 million. Two were released in December 2013 and the other two in January 2014.

Looking at some of the comments made by users, many of them have installed the apps because they offer credits that can be used in some games, and even making a conservative estimate of €20 per device, we are looking at a huge scam that could be worth between six and 24 million Euros.

Antivirus for Android. Panda Mobile Security

If you are a Panda Mobile Security user, you’ll be aware of the ‘Privacy Audit’ feature. This classifies as ‘Costs money’ any app with permissions to behave maliciously and lets you delete it.

This doesn’t mean that all apps in this category are malicious, Facebook and WhatsApp apps are there and are not malicious. Any app with sufficient permissions to operate in the way described above will be in this category. If you discover an app installed that shouldn’t have these permissions, you should delete it immediately.

Whatever the security solution you use, we advise you to carefully read the permissions required and which are displayed when installing the app. If you notice that these include connecting to the Internet and reading your SMS messages when it is not necessary, don’t install the app.