Malware found in wallpaper apps infects 21 million Android devices via Google Play
Check Point's researchers discovered the malware early last month and issued a statement that contains all their findings related to ExpensiveWall.
Unfortunately, the malware infected at least 50 apps on Google Play, which were downloaded between 1 million and 4.2 million times before they were removed.
The ExpensiveWall malware was “packed” inside wallpaper apps, which allowed it to escape Google Play's built-in anti-malware protections. The “packed” method is frequently used by malware developers to encrypt malicious code.
Even though Google removed these infected apps after August 7, those who installed them before they were removed are still at risk, so they should manually remove them from their Android devices.
How does it work?
Since ExpensiveWall is “packed” inside an Android app, it will ask the user for several common permissions, such as SMS and internet access. If granted, the malware will start sending premium SMS messages and register users for other paid services that don't exist without the user's knowledge.
Although these permissions are pretty common for certain types of apps, there's absolutely no reason for a wallpaper app to request SMS permission or even internet access for that matter. Unfortunately, many Android users grant these permissions without thinking, which is probably one of the reasons it propagated so fast in the first place.
How to avoid being infected?
Well, there's really no way to stay protected as long as you don't pay attention to what permissions an app requests before being installed. ExpensiveWall is a very tricky malware that's hardly detectable by standard (read free) security solutions available in the Google Play Store.
What's even worse is that malware developers find new ways to pass Google Play Store's security protections more often than ever before. The bottom line is you can never be certain if your Android device is infected or not, so the best way to stay safe is to install high-profile apps and avoid the questionable ones.
source: Check Point