We have found 14 apps with the same behavior in Google Play that, with different pretexts (from jokes to recipes) subscribe the user to premium SMS numbers. Although the apps show a message about the subscription, they send an SMS by themselves confirming the subscription in a transparent way, so the user does not notice anything. The attacker got more than 100.000 downloads. Not all downloads translate into direct subscriptions because the attackers only allow important carriers from Spain, and if the device does not match with these conditions, the app will act normally.
What the user perceives
When the user downloads and installs any of these apps, something like this will be shown.
 |
| This is what the users sees if it belongs to the right carrier and country |
It is true the attacker is really advising the user: you are going to be subscribed, but it automatically will send the SMS leaving no trace on the phone. In previous apps like this, the button used to be less explicit (maybe “Accept” or asking for your age) but at this point, the attackers used “Subscribe” which should make the users more aware about the problem.
The app will check if the device belongs to the right carrier and comes from Spain. By now, two different SMS have been sent, one to start the subscription and another to confirm it, but the user will notice nothing.
 |
| JavaScript code to check for carrier and country |
What happens and how it works?
The whole program is launched under a WebView, and calls an index file that comes with the apk itself. When the two SMSs are sent, the apps use and interesting trick. They dynamically load the receiver to intercept the incoming messages. Usually, these receivers are declared in AndroidManifest.xml. Why dynamically? Possibly to avoid static analysis. Although the app has the permission of intercepting SMSs, a sandbox or analyst will think the developer does not really use it, because it lacks any routine to manage them. But the real thing is that it loads it only if and when necessary. The receiver works when the device receives a message, and makes the app mark it as “already read” so the user does not notice any welcome message to the subscription service.
 |
| Dynamic receiver to handle incoming SMSs |
So, what is new?
There are several interesting parts on these apps.
- First, the use of JavaScript and Cordova (the bridge between JavaScript and the apk) to send messages and avoid introducing code in the app itself. This takes the whole logic to the server, what makes it more powerful, dynamic and undetected.
- Loading the receiver dynamically, may confuse a static analysis. The receiver is only declared under the right circumstances (right carrier and country) so it makes it stealthier. Aside, the receiver is loaded (and it may be unloaded too) via the JavaScript code, so it will only be listed if all conditions are satisfied in a dynamic analysis.
- It does not use the usual system to send messages, but gives them directly to SMSProvider. This avoids the sent messages to be kept in “sent” or “outbound” folder. It provides the SMS text directly to the operative system provider.
 |
| Marking the incoming SMS as already read |
Other apps like these
Who is behind these apps? Obviously they are related to the JSDialers we talked about a few weeks ago. The subscription company and domains just give us the right answers.
Screenshots of some of the apps we have found thanks to Tacyt, are these:
 |
| Some of the apps with this behevior |
This is the title, packagename, and hash of the applications found.
- Frases celebres bonitas cortas,com.thinkking,1e8568ccc54be7a73934965e97ff7e3fd9e4fec3
- Imagenes amor fotos frases,com.romaticpost,2d26c676bcb5a5f8599f49a5b90599b7ff93dc11
- Phrrasesfee,com.prasesfee,ca6ac2e1bf46087455fda358870070ec269faae6
- Statetss,com.statetss,da045796efc737d42b9e86876ec5b854289212bc
- New mensajes navidad y frases,com.navidad.extra,18db1cfb7e7340a5476a5c6e17f1f9d596045095
- Postales perritos fondos,com.imagepets,bbc6e386281f2b1931ff2be7812bf4de4530d3fe
- Funnyys,com.funnyys,9fc9e237903b02a2a47701139200c9177eec16a5
- Fotos frases amor postales,com.prasesamor,65ce3043fc249cb906b4e50a23d581d5c70819fa
- Gatitos tiernos fondos postal,com.cattss,f68ef39f5183da0745614c68a7ae135085298b54
- Recetas de cocina dietas Salud,com.kitchenn,7fa17bed794a59dd3d914d05535fe25a357ab1cd
- Chistes cortos buenos,com.chistescortos,daac73a325485f882b1dcda9758b16bb5f407770
- Chistes Picantes buenos cortos,com.chistespicanticos,dc799bcc3f1f623e211e50fbb6ececb2e64753a6
- Laughtter,com.laughtter,f569baf1c0f12c137a09e084c879979bbcfd11e1
- Healthyy,com.recipesmart,0dd97d056fa7559a2cdb35d45850cefd400f4d6f
Insterasante…este tipo de comportamientos se da en Mexico especificamente(al menos en mi caso) con AT&T. La compañia solo te dice, es que usted se suscribio,etc,etc… Despues de levantar el caso al otro mes vuelven a cargarte en la factura este servicio cuando segun ya lo habias reportado, y luego dicen ya te pusimo en "lista negra" (el numero de tu celular), segun con esto se bloquea este servicio(a veces ni funcionan, al otro me te sale el cargo). Sabes de alguna aplicacion "gratuita" que me ayude a mitigar esto ??