Android Trojan Malware Buys Apps Without Notifying Users

Posted Jul 9, 2012

Most of the well known apps available for download are on the Google Play app store.  However there are some Chinese third-party online Android app stores available for people that want to buy apps in their own native language.  Unfortunately for them, a good number of those apps contain malware.  According to mobile security company TrustGo, one of those applications has malware that buys apps and other content from China Mobile’s Mobile Market without alerting and asking permission from the user.

The malware is called MMarketPay and the Trojan appears to be repackaged under several types of travel and weather apps.  These apps are spread across nine other Chinese Android markets.  The malware app is believed to have been installed by 100,000 users.

After logging into the market’s website, the malware can automatically place orders for paid apps and content.  M-Market sends a verification code via SMS, which is then provided to M-Market for their verification.  After the verification is completed, the app is downloaded automatically and China Mobile ends up adding the order to the customer’s phone bill.

The Trojan can gain control of the received SMS messages in order to collect the verification code sent by M-Market and if a CAPTCHA image is used, then they are able to post it using a remote server to search for the correct answer.  Consumers end up with a higher phone bill in the process.