Keeping Android smartphones and tablets safe from malicious apps is a constant battle for enterprises, end users, and for Google. Despite Google’s efforts to prevent cybercriminals from infiltrating Google Play, the Check Point mobile research team has discovered new Android malware that it calls CallJam.
CallJam malware includes a premium dialer to generate fraudulent phone calls as well as a rough adnet capable for displaying ads forcibly to its victims. The malware is hidden inside the game “Gems Chest for Clash Royale” which was uploaded to Play in May. Since then, the game has been downloaded between 100,000 and 500,000 times.
Check Point notified Google about the malware.
CallJam redirects victims to malicious websites that generate fraudulent revenue for the attacker. The app also displays fraudulent ads on these websites instead of displaying them directly on the device.
Before it can make premium calls, the app requests permission from the user. As we’ve seen in previous similar attacks, most users grant permissions willingly, often without reading or fully understanding information about the permissions they are granting.
The C&C server then sends CallJam a command with a targeted premium phone number and the desired length of the call. Then it initiates a call using the parameters provided, generating potentially large revenues for the attackers.
Some Android users who downloaded the infected game noticed this strange activity. Since it deceives the users as part of its activity, the game has been able to achieve a relatively high rating. Users are asked to rate the game before it initiates under the false pretense that they will receive additional game currency. This is another reminder that attackers can develop high-reputation apps and distribute them on official app stores, putting devices and sensitive data at risk.
Check Point Mobile Threat Prevention detects and stops Android malware like CellJam.