These fake Android apps steal your money when you aren’t looking

If you thought you were immune from hackers when downloading “legit” Android apps from Google Play, then think again. The McAfee Mobile Research team recently discovered a new campaign where at least 15 apps were “re-packaged” to secretly sign up for premium paid services in the background. The list includes Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone.

The campaign is run by the AsiaHitGroup Gang who first appeared in late 2016 to target victims primarily in Thailand and Malaysia. The group used a fake app installer called “Sonvpay.A” that, for a price, pretended to install popular apps delivered outside Google Play. But it secretly subscribed at least 20,000 victims to paid services in the background by sending SMS messages to premium-rate numbers.

But that was only the beginning.

The group then moved on to bigger bucks through Google Play during November 2017 in its second campaign targeting Thailand, Malaysia and Russia. They modified the fake installer, now called “Sonvpay.B,” to serve as full-fledged familiar-but-fake apps listed on Google’s storefront. For this campaign, Sonvpay relied on IP address geolocation to identify the victims’ country of origin. The campaign also used the same SMS method while adding WAP billing — aka direct billing to a mobile carrier — to secretly subscribe victims to premium services. 

The group’s third campaign began in January 2018 targeting devices accessing Google Play in Malaysia and Kazakhstan. Instead of creating fake apps, the group bundled legitimate Android apps with “Sonvpay.C,” which uses silent background push notifications to secretly subscribe victims to premium paid services. The apps themselves don’t pose any kind of threat outside wanting permission to access SMS messages. In fact, they act completely normal. 

“The subscription operates primarily via WAP billing, which does not require sending SMS messages to premium-rate numbers,” McAfee’s Carlos Castillo reports. “Instead it requires only that users employ the mobile network to access a specific website and automatically click on a button to initiate the subscription process.” 

After you install one of these apps, the Sonvpay component receives commands to sign onto premium paid services through push notifications that the device owner never sees. These services are billed directly to the mobile carrier. Even more, there’s a fake “update” component where if the device owner agrees to the update, Sonvpay.C will subscribe to premium services. Even if the user doesn’t agree, the services may show up on the mobile carrier’s bill anyway depending on the command sent through the push notification. 

The problem with carrier billing and this type of fraudulent charge is that it’s typically not discovered until the victim receives a monthly statement. These charges are typically subscription-based as well, so victims must figure out how to unsubscribe from the premium service.

When McAfee’s team discovered Qrcode Scanner, Cut Ringtone 2018 and Despacito Ringtone loaded with the Sonvpay.C component, they promptly alerted Google and saw the apps disappear from Google Play. Despacito for Ringtone appeared several days later, once again laced with Sonvpay.C, but was quickly nuked by Google.

Unfortunately, the AsiaHitGroup Gang will likely return for a fourth campaign. 

Mobile

Google brings its high-accuracy emergency location tracking to the U.S.

Google has announced that its Emergency Location Service is coming to Android phones on T-Mobile, marking the service's U.S. debut. The service allows for high-accuracy location information to be sent to first responders.
Mobile

Not sure about updating to iOS 12? Here are five reasons why you should

If you’re on the fence about whether to install iOS 12 or not, allow us to explain why the update is worthwhile. Here are five of our favorite features from Apple’s mobile platform.
Mobile

How to downgrade your iPhone or iPad from iOS 12 to iOS 11.4

Apple's iOS 12 may be the latest and greatest version of the mobile operating system, but perhaps it's not right for you right now. If that is the case, thankfully there are some ways to go back to iOS 11.4.
Mobile

Here’s why Trump will text you on Thursday

FEMA is preparing a test of a mobile presidential alert system. The test will occur on September 20 and is meant to ensure that the president can quickly communicate with people in the event of natural disasters and emergencies.
Computing

Newegg was cracked, customer data has leaked, and security is clearly scrambled

Online electronics retailer Newegg has found themselves at the heart of an online security breach as the company's payment system was breached, giving hackers of the notorious group, Magecart, potential access to confidential customer data…
News

Winamp media player might be back from the dead, with Windows 10 support

Winamp might be back from the dead, and it's bringing support for Microsoft Windows 10 with the first new software release since its acquisition by Radionomy in 2014. Fans of the media player will also enjoy new features and bug fixes.
Computing

Heavily overclocked RTX 2080 Ti steals every 3DMark record

Nvidia's RTX 2080 Ti is already the most powerful graphics card ever released, but with liquid nitrogen cooling overclocker Kingpin was able to push the card to new heights and break a bunch of records in the process.
Computing

Photoshop isn't required to resize images. Here are 6 ways to do it in seconds

Resizing an image isn't the toughest thing in the world, even if it may seem like a hassle. Here's how to resize an image using six tools that allow you to make quick work of any photo, regardless of your operating system.
Computing

Chromebook keyboard showcase may have leaked Pixelbook 2 images

As we approach Google's #madebygoogle event taking place in early October, new rumors and leaks for a possible Pixelbook 2 are appearing online. This latest one may show what the rumored Nocturne design will look like.
Virtual Reality

Walmart stocks its stores with VR training for its employees

Walmart will begin rolling out virtual reality training experiences to all of its stores this year with the power of Oculus Go. More than 6,300 stores will receive the new technology, helping the company train its employees.
Computing

Tap Strap wearable keyboard gains support for VR applications

TAP System's wearable keyboard gains support for virtual reality, now compatible with Windows Mixed Reality, Oculus Rift, and HTV headsets. Type and tap for up to eight hours in VR without needing to look at a physical keyboard.
Computing

Wi-Fi vulnerability could allow attackers to steal your data on unencrypted sites

A 20-year-old security flaw in the design of the Wi-Fi standard and how computers communicate using the transmission control protocol could allow hackers to perform a web cache poisoning attack to steal your data and login information.
Deals

Walmart takes $380 off the MacBook Air for a limited time

Walmart is offering a steep discount on the MacBook Air. Though the $380 discount is lovely, this offer comes with an extra charger to sweeten the deal. If you're looking to pick up an Apple MacBook for less, now is an excellent time.
Computing

PDF to JPG conversion is quick and easy using these simple methods

Converting file formats can be an absolute pain, but it doesn't have to be. We've put together a comprehensive guide on how to convert a PDF to JPG, no matter which operating system you're running.