Security has always been a problem in Android due to its open ecosystem. Not only are apps in the Play Store not pre-screened, but users can easily download apps from third-party markets with even less stringent security. While most of us are aware of only a handful of app repositories – like the Amazon AppStore – Chinese users are accustomed to using dozens of them. Now, security firm TrustGo is reporting that several of the popular Chinese app stores have been infected with a malware called Trojan!MMarketPay.A@Android.
The MMarketPay malware is distributed through repackaged versions of popular apps like GoWeather. The Chinese app stores that have been identified to be affected are nDuoa, GFan, AppChina, LIQU, ANFONE, Soft.3g.cn, TalkPhone, 159.com, and AZ4SD. The app targets subscribers of China Mobile, which is the world’s largest mobile phone operator with more than 655 million subscribers. Total number of affected users is estimated to be in excess of 100 million.
Mobile Market is an Android app store offered by China Mobile to its subscribers. Its biggest draw is its mobile payment system. Users can purchase and download any app and video they like, and the amount will simply be added to their monthly bill. The workflow is as follows:
- Customers login at M-Market website (http://mm.10086.cn/). Not login required, if customer is using CMWAP as Access Point.
- M-Market will send a verification code to the customer via SMS, if he purchases paid apps or media.
- Customers receive the verification code and input it in M-Market for verification.
- Once the verification is completed, the market will download apps automatically. China Mobile will add this order to customers’ phone bill.
The MMarketPay malware bypasses China Mobile’s authentication system by changing the APN to CMWAP and intercepting the SMS. Once installed, it proceeds to order paid apps and purchase premium videos without letting the consumers know. Infected users are extremely likely to rake up huge bills without even being aware.