Even though malicious Android apps can occasionally be found on Google Play, Chinese third-party online Android markets are known for offering them by the hundreds, if not thousands.
Most of them do one of two things: collect personal and device information, or send out pricy messages to premium rate numbers. But now and then, an app that doesn’t follow that pattern crops up.
Researchers of mobile security company TrustGo have recently unearthed a new type of Android malware whose goal is to surreptitiously buy apps and other content from China Mobile’s Mobile Market without alerting and needing the permission of the user.
Dubbed MMarketPay, the Trojan comes repackaged with a number of legitimate travel and weather apps, and is currently offered on no less than nine online Chinese Android markets.
According to the researchers, it has already been downloaded and likely installed by more than 100,000 users.
The malicious apps takes advantage of the easily subverted Mobile Market’s payment workflow.
After having logged into the market’s website, the Trojan can automatically place orders for paid apps and content. M-Market sends a verification code via SMS, which is then provided to M-Market for verification.
Once the verification is completed, the app is downloaded automatically, and China Mobile adds the order to the customer’s phone bill.
The Trojan is able to intercept received SMS messages in order to collect the verification code sent by M-Market and, if a CAPTCHA image is invoked, it is also able to post it to a remote server in search for the correct answer.
In the end, the users is left with an unexpected high phone bill.