Ladder Wallpaper (com.tiezi.ladder.wallpapers), Boom Wallpaper (com.quarter.boomboom.wallp) and Graft Wallpaper (com.graft.allpaper). All three apps were downloaded by thousands of users, they secretly sign users up for premium content without their consent or their knowledge. In October 2019, the apps were available on the Google Play Store until being taken down recently. They remain, however, widely available on unofficial APK download sites and are still affecting thousands of Android users.
How it happened:
Empello’s FraudStop uncovers thousands of malware apps from the Google Play Store or unofficial APK download sites. The trio of wallpaper apps was picked up by our team as containing malware and were tested in many regions where Empello operates. UAE had the most instances of fraud from these apps.
In October 2019, we downloaded these apps to our Android test phones. One phone with an Etisalat SIM card and another with a du SIM card. During the installation process, the malware apps ask for a wide range of permissions. These give the malware apps power to manage many aspects of the phone, among them it allows it to make phone calls, to access contact lists, to switch between WiFi and data and most importantly it can even read and send SMS.
In order to subscribe to premium services connected via du and Etisalat, a real user needs to interact with a payment page where they enter their phone number (if it is not known already through header enrichment), then the user receives a One-Time-Password (OTP) via SMS which is then manually entered by the user on the payment page to confirm a purchase.
Figure 1: Multiple OTPs received via Upstream Systems-managed “Pay-with-du”
All the steps above are done by the malware apps in the background. They can read, send and type OTPs. This is exactly what has happened on our Etisalat and du phones in the UAE. The malware apps not only bypass the OTP protection but also any other protection currently in place.
Figure 2: A confirmation of subscription to a service called “Assorted Games” is then received on du within seconds of receiving the OTP related to this service seen on Figure 1.
Within minutes of installing those malware apps, our infected test phones receive hundreds of messages with OTPs – however, in between those, there are dozens of messages confirming a subscription to premium services. These purchases were never authorised by a real user and result in a significant reduction of the credit on the phone. If not cancelled, such subscriptions keep billing users on a daily basis for an average of AED 3 which can easily add up to AED 90 on a monthly bill!
Figure 3: One of the malware apps sending a confirmation of purchase to a service called “Laugh Factory” on our Etisalat phone.
Empello is convinced that thousands of users in the UAE were affected by malware apps in October 2019. The results from our tests with the wallpaper apps are only the tip of the iceberg.
How can users protect themselves against malware ad fraud?
Users need to avoid downloading apps from unknown sources as well as apps advertised on the wild in the web. Google Play Store is a secure space to download Android apps, however, it gets compromised itself with malware but whenever an app is compromised, Google Play Store will send a notification warning users to delete it. Moreover, it is also wise to keep track of the battery life as such apps use a lot of battery. Furthermore, if a charge on a customer’s bill is unknown, it is recommended to look out for suspicious SMS sent confirming a subscription, those same ones will usually have an explanation on how to unsubscribe.
How can content providers, aggregators and mobile operators protect their users against ad fraud?
Empello understands the world of fraud in the VAS industry. We have a team dedicated to finding malware apps: unravelling them inside out, testing them and finally stopping any suspicious attempts that may cause an automated purchase. Empello’s proprietary solution FraudStop can be deployed on payment pages to provide the fullest defence possible against fraudulent payments and subscriptions.
For more information, get in touch via our contact form.