Everybody's favorite instant messenger service, WhatsApp, inadvertently became an accomplice to a malware scam recently when code written into some dubious apps used the WhatsApp service to scrape user phone numbers and register them for a premium text messaging service. The apps involved have been removed from the Play Store, but it's still worth checking to see if you have any of them installed.
The malware apps, identified by security researchers at Panda Security, included the four following free apps:
The scam arrived in a particularly ingenious way. First of all, when a user opened one of the apps, they were prompted to access another part of the app. In the example given by Panda, a diet app prompted the user to access a particular diet, but the 'Accept' button popped up on top of the previous screen, where, almost imperceptibly, a load of fine print so fine no normal person could actually read it, appeared. By accessing the diet you also agree to all those terms and conditions, which include signing you up to a premium texting service.
WhatsApp enters the fray where the phone number was required. Normally, an app will pull the user's phone number from their SIM card, but for various security reasons many carriers no longer store the user's phone number there. To circumvent this practice, the malware apps concerned in this scam simply piggy backed on WhatsApp because the instant messenger app uses your phone number as an account identifier. Once the dodgy apps have your number, they register it for a premium SMS service and then delete all evidence it ever existed. Sneaky stuff indeed. Here's how Panda Security described the process:
Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.
Have you been scammed by an app in Google Play? Did you install any of these apps?
Source: Panda Security