The Asian hacking gang, AsiaHitGroup, has returned with another billing-fraud campaign. The group, which has been active since 2016, is responsible for multiple billing-fraud campaigns that have been used in countries around the world. Their newest one, targeting mobile devices in Russia, Thailand, and Malaysia has managed to steal over $100,000 before the apps were taken down. The apps were available on the Google Pay Store and ranged from Ringtone applications to QR readers and more. Sonvpay was installed in the apps, which is a fake-installer app. All of the apps that were found to be malicious acted as they were supposed to once downloaded. The only request the app made once it was downloaded was access to SMS messages. In the background, Sonvpay used push notifications to subscribe the user to premium-rate services. With this subscription, AsiaHitGroup managed to trick the phone into paying the “cost” that the app had stated for the premium service, thus getting the money app charged. AsiaHitGroup used an advanced level of customization on this campaign–managing to adjust each app to the location of the phone. If the phone was not within a specialized location, the app gave the user an error message telling them to delete the app because they do not have the most recent version. AsiaHitGroup has been carrying out these styles of attacks since 2016 and they continue to evolve their applications to make them seem more legitimate. This campaign is also proof that malicious apps can be included on the Google Play Store.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased