Table of Contents
  • Home
  • /
  • Blog
  • /
  • 9 New Fake Apps on the Play Store Which Can Hijack SMS Notifications to Carry Out Billing Fraud
April 24, 2021

9 New Fake Apps on the Play Store Which Can Hijack SMS Notifications to Carry Out Billing Fraud

9 New Fake Apps On The Play Store Which Can Hijack Sms Notification To Carry Out Billing Fraud

This time cybercriminals used Google’s play store as a playground to carry out attacks on millions of Android users. Researchers uncovered nine fake apps on the play store which can hijack SMS notifications to carry out billing fraud. Let’s see more details about the apps and the malware used to carry out the billing fraud.

Who Can Be the Victim of the Fake Apps on the Play Store?

As per the research from Trend Micro and McAfee, Android users from Southwest Asia and the Arabian Peninsula have become victims of these malicious apps. It has been said that more than 750,000 users have downloaded these fake apps from Google’s play store.

List of 9 fake apps on the play store which is reported malicious:

Here are the nine apps McAfee researchers found malicious on the Play store. Please check your phone for these apps if you spot any of these apps on your phone. Immediately remove those and check for any bank account, credit card, debit card, or any unauthorized transactions.

  • Keyboard Wallpaper 

  • PIP Photo Maker 

  • 2021 Wallpaper and Keyboard 

  • Barber Prank Hair Dryer, Clipper, and Scissors 

  • Picture Editor 

  • PIP Camera 

  • Keyboard Wallpaper 

  • Pop Ringtones for Android 

  • Cool Girl Wallpaper/SubscribeSDK 

How Cybercriminals Managed to Publish These Fake Apps on the Play Store to Carry Out These Attacks?

  • Android Joker Malware: Cybercriminals fooled Google with a malware strain called ‘joker‘, which has successfully bypassed Google’s security several times over four years.

  • Versioning: defense is that Cybercriminals use a unique technique called versioning. In this technique, malware authors first upload the clean apps to the Play store to build the among the users. In the later stage, deliver malware codes to the user’s app in the form of app updates.

  • Dynamic Encrypted payloads: The dynamic code update function with encrypted payloads helps the malware to cover itself from Google’s defense system.

  • Most downloaded app categories: These fake apps on the play store impersonate themselves as legitimate photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, which were found to be the most downloaded app categories by users.

How Does This Malware Work?

  1. At first, app servers send malicious codes to the Android device in the form of updates. These files will be stored inside the ‘assets’ folder in the names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files.

  2. Malicious code opens the ‘1.png’ file saved inside the ‘assets’ folder. Malicious code will decrypt the file using the RC4 protocol with the package name as the key. It stores the decrypted file in the mane of ‘loader.dex’ file.

  3. The loader.dex file creates an HTTP request to the C2 server requesting AES keys to decrypt the second payload ‘2.png’.

  4. The C2 server sends the keys to decrypt the second payload for execution.

  5. As we said in the previous section, this malware is loaded with a dynamic code-loading function. Malicious code will either execute the ‘2.png’ or it will download the new content from the URL and execute that whenever it receives the URL from the C2 server. Note: the server doesn’t respond to all the requests and shares the key.

  6. The payload tries to hijack the Notification listener service to read the SMS like Android Joker malware. The malware then processes the SMS data to the final stage and sends the data to the C2 server.

  7. Upon further analysis, it was found that the malware can send this information, including carrier, phone number, SMS message, IP address, country, and network status, along with auto-renewing subscription information.

Identified Indicator of Compromise (IoC) During Malware Analysis Process:

IoCs are nothing but indicators of compromise. Suppose you found any files which have these hashes. Additionally, if you notice your Android phone has communicated to these URLs at any point in time, it’s clear that your phone is compromised. The verification process needs some technical knowledge to check the file fingerprints and communication with the URLs. You can leave this section if you are not from a technical background. We feel it’s our responsibility to give the details as much as we can.





08FA33BC138FE4835C15E45D1C1D5A81094E156EEF28D02EA8910D5F8E44D4B8 com.super.color.hairdryer



0E2ACCFA47B782B062CC324704C1F999796F5045D9753423CF7238FE4CABBFA8 com.daynight.keyboard.wallpaper



Please share this article with others and make them aware of these new fake apps on the play store. If you find this article interesting, read more such articles here:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription