The Apps slipped by the Google safeguards and checks. They did not even appear to have any unusual permission request. They appeared to be what they said they were. However, hiding inside of the apps was a function to take advantage of a feature called Direct Carrier Billing (DCB). This feature allows an app or service to bill directly to your carrier.
The scamware is slick, when the app is launched it presents a web view to the user after gathering some configuration information (language, region, etc). The view then asks the user to confirm their location by entering their phone number. This phone number is that key to the API calls that enable the DCB. Once that is done the scamware starts a monthly billing cycle. The amount that is billed to the account is low (around $15). This is small enough that it could be overlooked and with the push for automated billing it might never be noticed at all by a person with an infected device. However, based on the large number of users impacted the billing amount would not need to be large to turn a massive profit.
The threat group appears to be new, at least newly identified in terms of their TTPs although they do have some similarities with another group dubbed GriftHorse. Once again, we see that mobile devices are easy targets due to several factors, including how people use them. This trend is likely to continue and even become more widespread simple because our mobile devices can do so much more and, as we have said before, are typically used as both work and personal platforms. The antimalware industry really needs to step up and soon.
Complete list of known infected apps
Stay safe out there.
