Trojanized Photo App on Google Play Signs Up Users for Premium Services

Mobile apps usually have names that give some indication of their function. In one recent case, however, we found a misnamed app that turned out to be malicious.

Every Android app has an ID value, commonly known as the package name, to uniquely identify it on a device and in Google Play. Most package names on Google Play have some relation to the type of app (for example, photography apps usually have photo in package name). When we saw the package name com.star.trek on Google Play, we expected an app related to the popular science fiction series. However, it appears to be a photo app based on its application name and description:

trojansms_googlesearchapp
The app seems popular on Google Play, with more than one million downloads yet an unusual low rating (3.5 out of 5):

trojansms_i_love_filter
Another warning flag raised by this app is that the application name “I Love Filter” does not correspond to the application name in the banner “Wonderful Cam.” Looking at user reviews, we found some hints as to its low ratings from so many people:

trojansms_ratingandreviews
One review says the app makes money from your messages, suggesting the app is in fact an SMS Trojan, one of the oldest and most profitable threats to mobile devices. This type of malware sends SMS (text) messages to premium-rate numbers and charges the user for a specific service. In some cases, instead of charging for each SMS sent, the user is subscribed to a service that continuously charges until a message is submitted to cancel the subscription. After we downloaded and installed this suspect app, we confirmed that app demands permission to send SMS. There is also a typo in the application name (Fliter), which makes it even more suspicious:

trojansms_appinfo
Once the app is executed, our suspicions are confirmed:

trojansms_premiumservice
As soon as the app is opened, it loads a website to subscribe the user to a premium service once the user clicks on the “Continue” button. The “good” news is that rather than subscribing the user automatically in the background, the app explains the cost of each SMS and, more important, how the user can stop the service. The bad news is that if the user does not pay, the application cannot be used.

Does this behavior mean that the developer is offering the app as free but then tries to charge the user to use the app? Not really. Looking at the decompiled source code of “I Love Filter,” we see that com.star.trek is in fact the free legitimate app Retro Live infected with Trojan code to charge the user via SMS messages:

trojansms_retrolive
Retro Live is currently not available on Google Play, although this is not the first time that it is being used to make a profit on Google Play. At least three other Trojanized Retro Live apps have been identified, and are currently available only on third-party sites:

trojansms_otherapps
In the case of Beautiful Photo, and unlike I Love Filter, the terms and conditions are not so clear and are not even in English, which could lead some to click “Setup” without paying attention to the other text and thus subscribe the user to an unwanted premium-rate service:

trojansms_premiumservice2
In addition to the SMS subscription function, the injected code also leaks device and user information, including the phone number, GPS location, installed apps, and IP address:

trojansms_userinfoupload
The malware can also download and install applications:

trojansms_downloadandinstall
In previous years Android has introduced security measures to protect users against SMS Trojans. Since Android 4.2 (Jelly Bean), the operating system has displayed a pop-up message to inform users that an app is trying to send an SMS message to a premium short number and ask for confirmation. In Android 4.4 (KitKat) Google introduced the concept of a default SMS app that limits the ability of malware to silently intercept incoming SMS messages. Nevertheless, malware authors have found ways to overcome some restrictions: In the following case the malware mutes the incoming SMS alert notification to avoid alerting the user that a confirmation message has arrived:

trojansms_silentmode
Although SMS Trojans are not as popular as earlier in Android’s career, Trojanized apps with injected code to subscribe users to premium services remain an easy way for malware authors to profit in a restricted environment like Google Play. Users may think they are paying for a legitimate app while in fact subscribing to a service that needs a specific SMS to make it stop. Another risk lies in children downloading, installing, and executing apps, while clicking on confirmation messages that could result in charges.

We have reported the “I Love Filter” app to Google and it should be removed soon. To protect yourselves from this threat, employ security software on your mobile devices, check user reviews for apps on Google Play, and do not accept or trust apps that ask for payment functionality via SMS messages as soon as the app is opened.

McAfee Mobile Security detects this threat as Android/SmsPay and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

Leave a Comment

seventeen − 15 =