Malicious App in Google Play

Many fraudulent apps have made their way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula to the tune of more than 700,000 downloads. These malicious App in Google Play Store hijack SMS message notifications to commit Billing Fraud.

What are these Fraudulent apps up to?:

Pretending as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases. These Apps are found to be fraudulent after validations.

Negative reviews on Google Play

Technical Analysis

The malware embedded in these apps takes advantage of dynamic code loading. Encrypted payloads of malware appear in the assets folder associated with the app, using names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files, as illustrated below.

Encrypted resource sneaked into the assets folder
Decryption flow

The hidden malicious code in the main .apk opens “1.png” file in the assets folder, decrypts it to “loader.dex,” and then loads the dropped .dex. The “1.png” is encrypted using RC4 with the package name as the key. The first payload creates HTTP POST request to the C2 server. When the server responds “URL” value, the content in the URL is used instead of “2.png.

Workflow of notification:

The malware seizes the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission. The malware then passes the notification object to the final stage. The message is sent out using WebView JavaScript Interface.

Notification delivery flow

Technical Data and IOCs




These threats that take advantage of Notification Listener will continue to flourish. However, it’s essential to pay attention to apps that request SMS-related permissions and Notification Listener permissions. Simply put, legitimate photo and wallpaper apps won’t ask for those because they’re not necessary for such apps to run. If a request seems suspicious, don’t allow it.

Also Read

Hackers Compromised APKPure Android App Store to Deliver Malware

New Advanced Android Malware Poses as “System Update” to Steal Messages, Images and Taking Control of Android Phones

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.