At least 50 Android apps found in the Google Play Store—including several with millions of downloads—were housing malware that silently ran up fees for users, security researchers discovered.

The attack, known as ExpensiveWall, uses excessive permissions to register users for premium services that charge them fees without their knowledge. Apps containing ExpensiveWall were downloaded as many as 4.2 million times.

Researchers at security firm Check Point discovered the attack, which had permeated the Google Play Store—Google’s official app and media marketplace—and managed to avoid detection from Google’s built-in anti-malware protections.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

ExpensiveWall achieved its obfuscation by using a technique known as packing. The technique requires attackers to encrypt the malicious code inside an app to make it undetectable by Google’s defenses. A key is included in the app that can decrypt the malicious code, allowing it to execute once it has been downloaded onto a device.

Packing is not a new technique, but it was apparently a successful one as ExpensiveWall was allowed to live inside the Google Play Store for some time before discovery. For those unfortunate enough to fall victim to the attack, the malware would send premium SMS messages without the victim’s knowledge, racking up charging on their accounts for services they never used.

The user is not totally blame free in this instance, as ExpensiveWall is only able to operate when granted permissions—though they are relatively common requests for many apps. The ExpensiveWall-carrying apps ask for internet access, which allow the app to connect with the attacker’s command and control server, and SMS permissions to send the premium texts.

In addition to generating a profit for the attackers through the premium services scheme, ExpensiveWall also gathers data about the device it's installed on—including location and unique identifiers such as MAC and IP addresses—and ships that information back to the command and control server.

A modified version of the malware could be used to do much more damage to a victim’s privacy. The attack could be used to steal photos, record audio and collect sensitive data from users.

While such a spying variant of the malware doesn’t exist yet, the attack has undergone changes in the past. Before ExpensiveWall, another version of the same malware family was discovered conducting the same premium text scam from inside the Google Play Store. The entire malware family is believed to have been downloaded as many as 21.1 million times.

“Malware like...ExpensiveWall [is] becoming ever-increasingly popular. We see newer techniques being deployed, which should raise concerns for app store operators like Google,” Javvad Malik, security advocate at AlienVault told International Business Times.

“While Google already does a good job of screening most malicious apps, the increasing sophistication of mobile malware could mean app stores need to increase their level of testing to dig deeper into app functionality. They also need to collaborate closer with security researchers, so that, like in this case, vulnerabilities and malicious app details can be shared quickly and pulled from stores,” he said.

Apps containing ExpensiveWall have been removed from the Google Play Store by Google. However, those who downloaded the apps prior to their removals will continue to have the malware on their device until they remove the compromised apps.