Malware From Google Play Store Infects 700,000 Users


Etinu malware bypasses Google’s security protections, infects 700,000 Android users to make unauthorised purchases before being removed

A wave of fraudulent Android apps was downloaded more than 700,000 times from the Google Play Store before being removed, security researchers said.

Targeting users Southwest Asia and the Arabian Peninsula, the apps posed as photo editors, wallpapers, puzzles, keyboard skins and camera-related tools.

But once installed, they would hijack SMS message notifications and then make unauthorised purchases, McAfee said.

In order to bypass Google’s security protections, the scammers first submitted a clean version to the Play Store.

Scam apps containing the Etinu malware. Image credit: McAfee

Unauthorised purchases

Further updates then added progressively malicious features, found McAfee, which calls the malware Etinu.

“The malware embedded in these apps takes advantage of dynamic code loading,” McAfee said in its advisory.

“Encrypted payloads of malware appear in the assets folder associated with the app, using names such as ‘cache.bin’, ‘settings.bin’, ‘data.droid’, or seemingly innocuous ‘.png’ files.”

In order to avoid the need for the SMS read permission, the malware hijacks the Notification Listener to steal incoming SMS messages.

This feature is similar to the Joker Android malware, as described by Trend Micro last month.

Suspicious permissions

The Etinu malware then creates auto-renewing subscriptions without the user’s knowledge.

McAfee said the malware relies on abuse of the Notification Listener permission to carry out its work.

The company said it expects threats that take advantage of Notification Listener “will continue to flourish”.

“It’s important to pay attention to apps that request SMS-related permissions and Notification Listener permissions,” the company said.

“Simply put, legitimate photo and wallpaper apps simply won’t ask for those because they’re not necessary for such apps to run. If a request seems suspicious, don’t allow it.”