A wave of fraudulent Android apps was downloaded more than 700,000 times from the Google Play Store before being removed, security researchers said.
Targeting users Southwest Asia and the Arabian Peninsula, the apps posed as photo editors, wallpapers, puzzles, keyboard skins and camera-related tools.
But once installed, they would hijack SMS message notifications and then make unauthorised purchases, McAfee said.
In order to bypass Google’s security protections, the scammers first submitted a clean version to the Play Store.
Further updates then added progressively malicious features, found McAfee, which calls the malware Etinu.
“The malware embedded in these apps takes advantage of dynamic code loading,” McAfee said in its advisory.
“Encrypted payloads of malware appear in the assets folder associated with the app, using names such as ‘cache.bin’, ‘settings.bin’, ‘data.droid’, or seemingly innocuous ‘.png’ files.”
In order to avoid the need for the SMS read permission, the malware hijacks the Notification Listener to steal incoming SMS messages.
This feature is similar to the Joker Android malware, as described by Trend Micro last month.
The Etinu malware then creates auto-renewing subscriptions without the user’s knowledge.
McAfee said the malware relies on abuse of the Notification Listener permission to carry out its work.
The company said it expects threats that take advantage of Notification Listener “will continue to flourish”.
“It’s important to pay attention to apps that request SMS-related permissions and Notification Listener permissions,” the company said.
“Simply put, legitimate photo and wallpaper apps simply won’t ask for those because they’re not necessary for such apps to run. If a request seems suspicious, don’t allow it.”
Judge orders X, Starlink bank accounts unfrozen after $3.3m transfer pays off fines imposed on…
Uber expands deal with Waymo from Phoenix to Austin, Texas and Atlanta as it faces…
Discover how Generative AI is transforming the retail experience with personalised interactions, AI-powered search, and…
US House of Representatives passes bill restricting tax credits for electric vehicles using battery technology…
NASA to launch 'Europa Clipper' mission to Jupiter's moon Europa next month as it seeks…
National Crime Agency arrests 17-year-old in Walsall over hack of Transport for London that compromised…