Female-targeted malware steals WhatsApp number for SMS fraud

A security company has discovered a form of Android malware in which an app steals a user’s phone number from WhatsApp to subscribe to premium SMS services. The malware has been downloaded between 300,000 and 1.2 million times.

According to Panda Security, the malware was hidden in apps in Google’s Play Store that included cupcake recipes and diet tips, and therefore seemed specifically aimed at women. The apps displayed a window with a large Accept button, with a window with unreadable conditions below it. Those conditions stated that the user agrees to a subscription to a premium SMS service.

That premium SMS service then sent an SMS to confirm the subscription, but the app intercepted it, extracted the PIN from the SMS and confirmed the subscription on the service’s site. All this happened in the background, without the user being able to see anything.

The apps did not retrieve the user’s phone number from the SIM card, but from chat app WhatsApp. As a result, the app did not need access to calling services. The malware has been downloaded by between 300,000 and 1.2 million people, presumably mostly Spanish-speaking Android users. The fact that the apps appeared in the Play Store is probably because they have little to do with malware that has appeared so far. After all, the apps ask for permission to take out the subscription to SMS services. The apps also raised little suspicion as they received hundreds to thousands of ratings with an average of four stars. Google has since removed the apps.

While much malware targets Android, the threats often come from apps that don’t appear in Google’s Play Store. Malware is often found in apps on, for example, file sharing sites that users think is a cracked version of a paid app. A lot of malware is also in apps for alternative download stores. Google checks apps with its Bouncer program for malware before they make it to the Play Store. In addition, Google can check apps that users sideload for malware upon installation.