Skip to main content

These fake Android apps steal your money when you aren’t looking

If you thought you were immune from hackers when downloading “legit” Android apps from Google Play, then think again. The McAfee Mobile Research team recently discovered a new campaign where at least 15 apps were “re-packaged” to secretly sign up for premium paid services in the background. The list includes Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone.

The campaign is run by the AsiaHitGroup Gang who first appeared in late 2016 to target victims primarily in Thailand and Malaysia. The group used a fake app installer called “Sonvpay.A” that, for a price, pretended to install popular apps delivered outside Google Play. But it secretly subscribed at least 20,000 victims to paid services in the background by sending SMS messages to premium-rate numbers.

But that was only the beginning.

Recommended Videos

The group then moved on to bigger bucks through Google Play during November 2017 in its second campaign targeting Thailand, Malaysia and Russia. They modified the fake installer, now called “Sonvpay.B,” to serve as full-fledged familiar-but-fake apps listed on Google’s storefront. For this campaign, Sonvpay relied on IP address geolocation to identify the victims’ country of origin. The campaign also used the same SMS method while adding WAP billing — aka direct billing to a mobile carrier — to secretly subscribe victims to premium services. 

Please enable Javascript to view this content

The group’s third campaign began in January 2018 targeting devices accessing Google Play in Malaysia and Kazakhstan. Instead of creating fake apps, the group bundled legitimate Android apps with “Sonvpay.C,” which uses silent background push notifications to secretly subscribe victims to premium paid services. The apps themselves don’t pose any kind of threat outside wanting permission to access SMS messages. In fact, they act completely normal. 

“The subscription operates primarily via WAP billing, which does not require sending SMS messages to premium-rate numbers,” McAfee’s Carlos Castillo reports. “Instead it requires only that users employ the mobile network to access a specific website and automatically click on a button to initiate the subscription process.” 

After you install one of these apps, the Sonvpay component receives commands to sign onto premium paid services through push notifications that the device owner never sees. These services are billed directly to the mobile carrier. Even more, there’s a fake “update” component where if the device owner agrees to the update, Sonvpay.C will subscribe to premium services. Even if the user doesn’t agree, the services may show up on the mobile carrier’s bill anyway depending on the command sent through the push notification. 

The problem with carrier billing and this type of fraudulent charge is that it’s typically not discovered until the victim receives a monthly statement. These charges are typically subscription-based as well, so victims must figure out how to unsubscribe from the premium service.

When McAfee’s team discovered Qrcode Scanner, Cut Ringtone 2018 and Despacito Ringtone loaded with the Sonvpay.C component, they promptly alerted Google and saw the apps disappear from Google Play. Despacito for Ringtone appeared several days later, once again laced with Sonvpay.C, but was quickly nuked by Google.

Unfortunately, the AsiaHitGroup Gang will likely return for a fourth campaign. 

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Apple may finally fix the worst things about the MacBook Pro
Someone using a MacBook Pro M4.

Future MacBook Pro models may trade in Apple’s now signature notch design for a hole-punch camera motif.

A component road map from research firm Omdia details that Apple has plans to make changes to the display of its 14-inch and 16-inch MacBook Pro models that will be released in 2026.

Read more
What is AppleCare+ and is it worth adding to your MacBook?
A person using a MacBook with an Apple Studio Display.

If you’ve just kitted yourself out with one of the best Macs, you might be looking to protect your purchase with some kind of insurance. If that’s the case, you’ve probably heard of AppleCare+. But what exactly is AppleCare+, and should you buy it for your MacBook?

Here, you’ll find everything you need to know about AppleCare+, including what it is, how much it costs, and whether it’s worth it. Read on and you’ll be able to make an informed decision for your Mac in just a few minutes.
What is AppleCare+?

Read more
7 surprising things you didn’t know you could do with AI
robot and human hands touching fingertips

When most people think of generative AI, their thoughts immediately jump to popular AI chatbots like ChatGPT, Gemini, and Copilot — all of which do basically the same sorts of generative things, just wearing different hats.

In reality, AI is capable of so much more than simply regurgitating text, images, and computer code. A new surge of AI tools is enabling all sorts of things you may not have thought possible before. This list could be much longer, but to give you a taste of how broad AI is reaching, here are seven surprising tasks that generative AI can help you accomplish.
Build an online brand

Read more