CATEGORIES

ExpensiveWall: A dangerous ‘packed’ malware on Google Play that will hit you in your wallet!

September 14, 2017

 

Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges for fake services to users’ accounts without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before affected apps were removed.

The new strain of malware is dubbed ‘ExpensiveWall,’ after one of the apps it uses to infect devices, ‘Lovely Wallpaper.’ ExpensiveWall is a new variant of a malware found earlier this year on Google Play. Downloads of the entire malware family reached between 5.9 million and 21.1 million.

Figure 1: One of the malicious apps containing ExpensiveWall

What makes ExpensiveWall different than its other family members is that it is ‘packed’ – an advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections.

[For more information on Check Point’s advanced detection capabilities in SandBlast Mobile, download the research report recently presented at DEFCON]

Check Point notified Google about ExpensiveWall on August 10, 2017, and Google promptly removed the reported samples from its store. However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices.

What does ExpensiveWall do?

The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services.

Why is ExpensiveWall dangerous?

While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.

How does ExpensiveWall work?

Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play.

ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI.

Each time the device is switched on, or experiences a connectivity change, the app connects to its C&C server and receives a URL, which it opens in an embedded WebView. This page contains a malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages. The malware initiates the JavaScript code by silently clicking on the links in the webpage, in the same way it clicks on ads in other occasions.

Figure 2: Clicking functionality used by the malware 

 Subscribing victims to paid services

The malware obtains the device’s phone number and uses it to subscribe the user to different paid services, such as the example below:

Figure 3: Code used to obtain phone number

 

Figure 3: Code used to obtain phone number

Figure 4: A premium service the malware subscribes the user to

Sending premium SMS messages

In some cases, the SMS activity takes place without giving the user any notice. In other cases, the malware presents the user with a button called “Continue,” and once the user clicks the button, the malware sends a premium SMS on his behalf. Below is an example of the HTML code containing the embedded JavaScript:

Figure 5: embedded JavaScript responsible for sending SMSs

ExpensiveWall on Google Play

The malicious activities did not go unnoticed by the users, as one notes below:

Figure 6: User’s comments on an ExpensiveWall app

As seen in the image above, many users were suspicious and suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times.

After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.

Users and organizations should comprehend that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is yet another example of the immediate need to protect all mobile devices against advanced threats.

How to stay protected

Cutting-edge malware such as CopyCat requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis. Only by examining the malware within context of its operation on a device can successful strategies to block it be created. Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available. Check Point customers are protected by SandBlast Mobile, and on the network front by Check Point Anti-Bot blade, which provides protection against this threat with the signature: Trojan.AndroidOS.CopyCat

Check Point Anti-Bot protects users with the following signature: Trojan.AndroidOS.ExpensiveWall

Appendix 1: List of Package names and downloads:

Package Name App Name min max Uploaded to Google Play
com.star.trek I Love Fliter 1,000,000 5,000,000 18/09/2016
com.newac.toolbox Tool Box Pro 500,000 1,000,000 19/10/2015
com.newac.wallpaper X WALLPAPER 500,000 1,000,000 27/09/2015
com.yeahmobi.horoscopeinter Horoscope 500,000 1,000,000 16/03/2015
com.gkt.xwallpaper X Wallpaper Pro 500,000 1,000,000 02/06/2015
com.gwqcv.zsfy Beautiful Camera 100,000 500,000 11/05/2017
com.hdsj.hdey Color Camera 100,000 500,000 16/03/2017
com.lovephoto.gp.inter Love Photo 100,000 500,000 13/03/2017
com.parrot.tidecmr Tide Camera 100,000 500,000 22/03/2017
com.zerg.charmingcmr Charming Camera 100,000 500,000 22/03/2017
com.constellation.prophecy Horoscope 100,000 500,000 30/06/2016
com.desktoptools.screenunsubscribe DIY Your Screen 100,000 500,000 21/07/2016
com.gkt.ringtonegp Ringtone 100,000 500,000 02/06/2015
com.gpthtwo.horoscope ดวง 12 ราศี Lite 100,000 500,000 03/11/2015
com.guard.defend Safe locker 100,000 500,000 17/06/2016
com.newac.wifibooster Wifi Booster 100,000 500,000 04/11/2015
com.newera.desktop Cool Desktop 100,000 500,000 30/06/2016
com.newera.toolbox useful cube 100,000 500,000 12/06/2016
com.pl.toolboxpro Tool Box Pro 100,000 500,000 22/01/2016
com.something.someone Useful Desktop 100,000 500,000 17/09/2016
com.yeahmobi.horoscope ดวง 12 ราศี Lite 100,000 500,000 20/28/2014
com.yeahmobi.horoscopegpadap Horoscope2.0 100,000 500,000 23/03/2015
com.cegqz.uoud Yes Star 50,000 100,000 03/05/2017
com.cmr.shiny Shiny Camera 50,000 100,000 03/05/2017
com.johg.udrad Simple Camera 50,000 100,000 07/07/2017
com.scamera.smiling Smiling Camera 50,000 100,000 07/06/2017
com.cmr.universal Universal Camera 50,000 100,000 16/05/2017
com.gb.toolbox Amazing Toolbox 50,000 100,000 23/03/2016
com.genesis.awesome Easy capture 50,000 100,000 24/10/2016
com.newera.memorydoctor Memory Doctor 50,000 100,000 15/06/2016
com.pl.toolbox Tool Box Pro 50,000 100,000 08/12/2015
com.sexy.pic Reborn Beauty 50,000 100,000 28/07/2016
com.joy.photo.gp.inter Joy Photo 50,000 100,000 02/08/2016
com.fancy.camera.gp.inter Fancy Camera 50,000 100,000 09/08/2016
com.amazing.photo.gp.inter Amazing Photo 50,000 100,000 13/09/2016
com.amazing.camera.ggi Amazing Camera 50,000 100,000 05/01/2017
com.super.wallpaper.gp.inter Super Wallpaper 50,000 100,000 30/08/2016
com.aolw.maoa DD Player 10,000 50,000 13/03/2017
com.bbapcmr.fascinating Fascinating Camera 10,000 50,000 13/04/2017
com.coral.muse Universal Camera 10,000 50,000 13/07/2017
com.cream.lecoa Cream Camera 10,000 50,000 27/03/2017
com.dmeq.oopes Looking Camera 10,000 50,000 23/05/2017
com.dosl.wthre DD Weather 10,000 50,000 23/05/2017
com.fqaf.dlksk Global Weather 10,000 50,000 03/05/2017
com.ivxz.ykvlf Love Fitness 10,000 50,000 23/05/2017
com.jpst.lsyk Pretty Pictures 10,000 50,000 06/04/2017
com.kifb.mifv Cool Wallpapers 10,000 50,000 10/01/2017
com.magic.beautycmr Beauty Camera 10,000 50,000 04/04/2017
com.opaly.nqib Love locker 10,000 50,000 12/05/2017
com.real.stargh Real Star 10,000 50,000 27/02/2017
com.sadcmr.magic Magic Camera 10,000 50,000 14/06/2017
com.scamera.wonder Wonder Camera 10,000 50,000 14/06/2017
com.scmr.funny Funny Camera 10,000 50,000 02/06/2017
com.simon.easy Easy Camera 10,000 50,000 28/02/2017
com.smgft.keyboard Smart Keyboard 10,000 50,000 14/06/2017
com.xnoc.jdvy Travel Camera 10,000 50,000 02/05/2017
com.yiuw.fhly Photo Warp 10,000 50,000 20/01/2017
com.yjmn.vokle Lovely Wallpaper 10,000 50,000 07/07/2017
com.ysyg.wtmca Lattice Camera 10,000 50,000 09/06/2017
fast.bats.chaz Quick Charger 10,000 50,000 08/05/2017
com.upcamera.xgcby Up Camera 10,000 50,000 18/01/2017
com.photo.power.gp Photo Power 10,000 50,000 23/11/2016
com.asdf.fg.hdwallpaper HDwallpaper 10,000 50,000 13/12/2016
com.gb.wonderfulgames Wonderful Games 10,000 50,000 09/04/2016
com.gkt.fileexplorer BI File Manager 10,000 50,000 01/08/2016
com.gkt.wallpapershd Wallpapers HD 10,000 50,000 03/01/2016
com.kevin.beautyvideo Beautiful Video-Edit your Memory 10,000 50,000 22/09/2016
com.newera.beautifulphoto Wonderful Cam 10,000 50,000 12/06/2016
com.next.toolset useful cube 10,000 50,000 30/06/2016
com.ringtone.freshac Ringtone 10,000 50,000 26/11/2015
com.gkt.gamebar Exciting Games 10,000 50,000 15/09/2015
com.replica.adventure.gp Replica Adventure 10,000 50,000 07/07/2016
com.gg.player.gp GG Player 10,000 50,000 12/07/2016
com.love.camera.gp Love Camera 10,000 50,000 20/10/2016
com.oneshot.beautify.gp Oneshot Beautify 10,000 50,000 01/08/2016
com.pretty.camera.gp Pretty Camera 10,000 50,000 18/10/2016
com.hygk.hlhy CuteCamera 5,000 10,000 22/02/2017
com.kkcamera.akbcartoon Cartoon Camera-stylish, clean 5,000 10,000 08/03/2017
com.craft.decorate Art Camera 5,000 7,000 13/08/2017
com.amazing.video.gp Amazing Video 5,000 10,000 16/11/2016
com.fine.photo.gp Fine Photo 5,000 10,000 22/12/2016
com.applocker.coldwar Infinity safe 5,000 10,000 09/09/2016
com.final.horosope Magical Horoscope 5,000 10,000 21/02/2017
com.gp.toolboxche Toolbox 5,000 10,000 28/04/2016
com.prettygirl.newyear Cute Belle 5,000 10,000 12/01/2017
com.roy.cartoonwallpaper CartoonWallpaper 5,000 10,000 06/09/2016
com.thebell.newcentury Ringtone 5,000 10,000 01/08/2016
com.aypx.ygzp Best Camera 1,000 5,000 16/02/2017
com.colorful.locker Colorful Locker 1,000 5,000 09/05/2017
com.hlux.wfsha Light Keyboard 1,000 5,000 21/07/2017
com.ytkue.oprw Safe Privacy 1,000 5,000 07/06/2017
com.qwer.enjoy.enjoywallpaper Enjoy Wallpaper 1,000 5,000 03/11/2016
com.file.manager.gp File Manager 1,000 5,000 13/12/2016
com.highfirst.fancylocker Fancy locker 1,000 5,000 05/01/2017
com.cute.puzzle.gp Cute Puzzle 1,000 5,000 05/10/2016
com.keyboard.smile Smile Keyboard 500 707 16/05/2017
com.owexs.iouert Vitality Camera 100 500 04/07/2017
com.tools.yidian Lock Now 100 500 23/01/2017
com.camera.kfcfancy Fancy Camera 100 500 20/03/2017
com.hhcamera.useful Useful Camera 100 224 06/03/2017
com.owexs.iouert Vitality Camera 100 224 04/07/2017
com.sec.transfer Sec Transfer 100 136 14/03/2017
com.tools.yidian Lock Now 100 500 23/01/2017
com.bpmiddle.oneversion Magic Filter 100 224 21/09/2016
com.funny.video.gp Funny Video 100 500 07/10/2016
com.ads.wowgames Amazing Gamebox 100 224 22/05/2016
com.wtns.superlocker Super locker 10 50 25/04/2017
com.musicg.ckiqp Music Player 1 2 06/04/2017
Total   5,904,511 21,101,567

Appendix 2: List of Command and Control servers:

Channel[.]gpnmobi.com

channel2[.]gpnmobi.com

adsadmin2[.]yasune360.com

adsadmin2[.]longqingdianzi.com

adsadmin[.]mobgkt.com

payapi[.]mcddmedia.com

payapi[.]hehemobi.com

 Appendix 3: SHA256 binaries:

App name SHA256
com.gwqcv.zsfy 42220ec35b2dacae0ee50f90aece9e2ec74cd04e88d9f25adea8d951829f9fb6
com.hdsj.hdey bf6bedf3a2c4e833b6506c5a6563d10368f96fd695cd1e65a34710e64bdc9a80
com.lovephoto.gp.inter 6409413d6b3abe9b079d11d6cfe34ca041c29008e502a1dfeae194b868e27bd2
com.parrot.tidecmr 198aa269c385c3a072ba904c8c376fa9793d85e5baa9a64c6cc01f6329719d53
com.zerg.charmingcmr b88e1e4724f52b31c3ba3aa5eda245bc541a97fa45fe8abbe53ac75da51b202f
com.cegqz.uoud d99cbf4ca0eef052e5821a60478d2c893242ad05831a43145f517adc097c659a
com.cmr.shiny d6b48311cfab9644f95a3aac2a20c2a77dc301b9a8e08df66f234639e05fcf6c
com.johg.udrad 1e8e934958fd414c2d2ab73755aa3ac13370152e2f5b01451c050fa828990421
com.scamera.smiling 7cfb3c259540960f5aa6a9c6a00827c6f64df95483d400832a642af8baf6d5f0
com.cmr.universal 1d13a1d9e6a152ff9a2e76ab3083f877f3286ce072f771c5175eef156c06d8bf
com.aolw.maoa 08ea9f68ea317b0844c2d307cef0ae68d3d3c8e7249c319a0e0549861a8fb7ce
com.bbapcmr.fascinating 544b430c4506fff0e57d0a833b8cc35be448717054cc0b9aaa063ac2ad6e182d
com.coral.muse 1f7a97dc2b21b12d861f0c20f03db35942a2e93d117d068a85e125e0789a06c8
com.cream.lecoa 4fdbc33475693312ecac04f82a4acbf456b606e81fecc5a90f62a149f7be3198
com.dmeq.oopes a5c6350220156078a8e6f4818c28a42c7bf246616f4acf5afa5ff5ee52f39a0f
com.dosl.wthre e8ac59b2a81a0a24fe1abf144555a1556648e6e53bcf549525e2dc30f6a19f63
com.fqaf.dlksk 33c988f977eb56083b1bb5a2ec69fc0c033cba62ecbf47a6fb61d2ff6f1e78ad
com.ivxz.ykvlf 1221a27a1716fda2e3fe7c2da3e3d6def4fbc71d4c15e99aa9d941049233ecc5
com.jpst.lsyk 2c511b6b4673270421316a633bb33a6ddd8320256d55c46ae4484b349c917106
com.kifb.mifv 73187cbbcbff18bfa189af05e466b27e7ce983dd5d2f0c82bec0f9d1850e418c
com.magic.beautycmr 20fb6d42200f77825889047c8c8da0b0388cdd25550260cf55a5d32ab14d5079
com.opaly.nqib 43a95e57395627292b4657e2291f85a7ea6807a40c30b09c81033b264dec7ab8
com.real.stargh 2013d71cd7e25927e4703176294ba7940dcb6e338e2a4a57d60a5e9bfdaa82d9
com.sadcmr.magic 1942fa51e09489c680358419eeb43c2a16042a83c8443dc0a7d29710772f1e01
com.scamera.wonder 4cef29d89868fc07949647446cf2d0ce276f53d438a4cda562be1bc59bd09e01
com.scmr.funny a4bcbba4ae398b1793cf22f125c8a38690a54c9abd2412101e0a3baf23c9bf84
com.simon.easy 8f62873372b3fc08dd75d078e9a6dff1c5023883c3553248e32ceae0030bbae7
com.smgft.keyboard cd6fb142d39b3329d2ff1110a6a51a4e14447524f83b4e2e6026ceddc85e9233
com.xnoc.jdvy b382e40546840d5fff42a8709feb7d5b882fc07e76949bfb63e691b01d65a3d7
com.yiuw.fhly 06b9b327381600b6b6945707f4079d1559cbc85a7591bcc067c4559df4cc9e22
com.yjmn.vokle c3a837586b6d8b4a23ee635059c91bff7ef4212aa86323abc2578660735a8b39
com.ysyg.wtmca d94497b8f4abfbfa811ab9ab7e0057c369ad64835aef3ac9a81686ce48a8cfeb
fast.bats.chaz fd865dfef38457927cd1c773126fd3400434210cded4be779e504176a42044af
com.hygk.hlhy f5e2c75b675e8346edcd62088b0b78534dc80b016d6b5c1ae3a5c389de66b9de
com.kkcamera.akbcartoon 435097086e936207f49a6b877e0417046762b3f64f63cf1dd50d4c9efe6cae73
com.craft.decorate 6c7bc1765216be81e8e4e957f3838913e7aaa39a25f4f023fe7100473237af4c
com.aypx.ygzp 9d139d54df82b5d14987c6525cb1304eb9ab56681fce684d9f69000724b7458e
com.colorful.locker 1ad84c2410372663bcfc000dfcd5aa31c67e71b975ee8058c0086c172a5eb251
com.hlux.wfsha 77e94e0abfc957b8f1fac061ca7dc60e01f40da6dfbbe4336ae338bb72970bbf
com.ytkue.oprw c4e974ead4871d405475b23387445e0a51a18ef5292e21df420611274e1660ca
com.keyboard.smile 6f804c4599f42b1d10440de3b0a889935fcb57590640fc99e81744567672161c
com.owexs.iouert 81f2940293945f2f6fb2a3b39bd264443a8311d0238848c9cb5e75bb71d384d2
com.tools.yidian 5d8f1e948f8ab78bad083710642857a806a1a66885317f54fde65710532ee572
com.camera.kfcfancy 4916685ca823d7934d240c5fb28b155b969fae58b2fb38317683453e9268b7b6
com.hhcamera.useful d9ac49bd654c2c8406f2aef20939a9034bb7ca93972e90149d69cb48fae35583
com.owexs.iouert 81f2940293945f2f6fb2a3b39bd264443a8311d0238848c9cb5e75bb71d384d2
com.sec.transfer 5468540e751a1768f703cd30f5414541c8473fdfb37b7b971f8ee5ba85f902e0
com.wtns.superlocker 4be55fb1a20e295c3526430d267ed025541ae8dd08e3dff3def0e20e9c652916
com.musicg.ckiqp 9f0fc7055f7e7eec3ba71d7a4021ac10a407a45ae63a54d38312418229b456a5
com.magic.beautycmr 491a6ff2459fa46e2acebd6ef131c0873a73a5611d796d8f2be357a9510872fa
com.bbqcmr.beauty b669647b38d2d9d2eab070e67a5a5cfd5bb471b471c7e022d57ca6590a5c832a
com.cmrqaz.cccolor 704769580d5803943dc505ffba88484c25bb1dffac92442d7589006b6d299352
com.dwt.dsaxsw 9ce72cdc2750ebacf7cd2971a58accea689d62938945c6a93a2c0bfc95120b64
com.gwqcv.zsfy 3d022104b7eecc7ab6f53669254b7fdf79d9071b3e6855d82da00ec3be376a38
com.lowkey.easylocker a64795664e4a2ae7bfb9ab7ad905bbbdfc9fc1f3307c5ea8e5502366f6bf6510
com.ntnk.hjhsd c2a853086da0c72894f3ff92998a7647c426ba914bf35d21849df1f6af043013
com.ntnk.hjhsd c2a853086da0c72894f3ff92998a7647c426ba914bf35d21849df1f6af043013
com.scamera.wonder 94668d5233d91e1de2c38286766e0f51f98fa8842e69773134724f3c2407b421
com.scmr.funny 90f837b843b669b105770d13a1072b5361d5b291f0225a269f313f3a85bc7d09
com.scmr.funny 25bbb8fd6c72abea6dcca4abc01dbda02855b9064ea137822fa89acca2ddf14a
com.scmr.funny dc404b0440c1566e9cc9f49be4ac089d7b4d31b9c55fbb7897112ebbbefb5302
com.tngh.geuth ae70bae77e1c8084605721a0f221b3f2a7871075702402d2fd01649f2d7dcc3e
com.awesome.diyedu.nxhgzxbn.diyscreenv 7027f4ccb0117e1da587fb60072603b03e89a1619b3126300b664741b07ed286
com.photo.artware cd19d762f8971343bec5e0dbd256a993a5de8801b933d3c828073f4a9b73dede
com.scmr.funny d241db3dd0dec4424dd4b8dfe66d181e0e2170e99e2e408b870429ea7a0ae3f1
com.upcamera.xgcby 2522c9f3cc348a606b3192c55381dbff1d77e6b28171697412bf2346ae0aa7d0
com.beauty.builder.ngp aef014dfc378ee9dcf83ce6dd04283adf646ca68e05c6bba71ac8ecee5f901a8
com.common.gear.gp 177ad657dc240c9642cdd7e3d1a168adca40906fe9acdc530c1895274688b558
com.exciting.games 857d06bd6d1667aade097cbdf42e744969e7e93940b3ac34cdac960217b57b8c
com.supercamera.gp 1ac9b9a494167fee0079607e040e26781676c6dea738dc069c5601fb95180eb1
com.wireless.enhancer.gp 3708742049ff6c07796f49f24f8e8c60012afd38309196a8cdab642c83075baa
com.star.trek b4b27bd7dfb0b1d9379ef23667e122de36e47e847cf280cf3a753ed0a9ab194b
com.newac.toolbox 850de7010acca816d7389b6f1e9f8c51512775bef70799e21939bc6588429ec9
com.newac.wallpaper 141f0d9cb3a7a3ce67160a91233895848a076ec98bb32fc60086d8685530e885
com.yeahmobi.horoscopeinter 2fecb5e991a1a5b0a81cdeeee260fecb5d6ff71f051876bf71274478f9ae9aab
com.constellation.prophecy b684b98a55b8baca0ebb644e15bec3f70e5aa9eb30190b846f01af2bedf9ae7b
com.desktoptools.screenunsubscribe ba1ed4c0127da6305ef3e76df1d323f75ed62b91589af7abd498909a66926604
com.gkt.ringtonegp f6ed24959d7fe9da1c3c6ae3f8d7037d2c6a3f6e0300773fbc352544f81d8bbe
com.gpthtwo.horoscope 06e3268842a34f8277f92e5987204c62a5c2f66606c57455466bcff115712f8c
com.guard.defend 745ed2e9f00b2a8e2178790a9e3299eba212f80cb4136e5167814c1df48d7119
com.newac.wifibooster 3eb0d3a9acff4263945831093f87fc99a6888b5444d647cfb6c0d47654801ec8
com.newera.desktop 45f1ee807a841e68a78b039bd0e9ed4e0f401cfef337942f86d265103714ddc8
com.newera.toolbox 02bb4bc31f7c7e6c6f5bde1a6f90cb920dd0960fb71b08da3649228354d806f3
com.pl.toolboxpro 56e15c075d717ff74da2eb00c18d70d6b7016ebfad9c944de238f231934eb0b6
com.something.someone f65709472fda46b1e52d9b79c4c453c11be8fc9672e74de360d47acf7ca6646a
com.yeahmobi.horoscope c1f6821e3c9c6d99626e7484ef264236631258337e2d5e613856158a8139d049
com.yeahmobi.horoscopegpadap e167dd73f53a19c4e019353a331e4cc677103dd7e88120de0946f14ea5f075b0
com.gb.toolbox 901c45d786b84a9932a2eb1d081d27597e5aedff2b142e632d8a7aed0384b30a
com.genesis.awesome 6c68af032756fa2e0a405deb221f7e3801f801b2c75c097b1539fd48958b9218
com.newera.memorydoctor ce81d8e66998602194a2c2ff06c2c9b0eb38a0136511fcf848935e1f62e058f2
com.pl.toolbox e1740ca23bd5772b460e7dc9da12fc82c55fd4b57ff73d2cbb9dac2dd3f800c9
com.sexy.pic a0bf3cbcfbae04c6e3a124f0e4cdcb5c728e535d686ace439965bc83f182598d
com.photo.power.gp e135b5a61160bf81605116c887abd4d8534911afab38949f5c45f9e273634a44
com.asdf.fg.hdwallpaper 72bfcd50c1cb863d1861ffb66df05a7a722e1841b7dd0604c62462cc420fa81f
com.gb.wonderfulgames 5ca918ea1d034002161dd33bc88792056cdabd97f995dec09546b305d79e5d57
com.gkt.fileexplorer 07490b6121c7b70be06b8d404d286643856a180bbe8906706e8e6ee9f819d74b
com.gkt.wallpapershd 56b4d8d994c2ab8c4b5173242655e67563adbf6981df25701bb77c8883a8175b
com.kevin.beautyvideo e85892968f8861a00b712c8f35b390afe3e3676382858976ed3528d7939524d1
com.newera.beautifulphoto c91a3331419e48019df2dafe31d208604a07493b4a6751ed32bb4eaa73a00c42
com.next.toolset 773660d993b4977e4c5352b7941af735e8bcc8f1438924f403776fa5f5b54273
com.ringtone.freshac 550a906a0bd0fdf78b9d68bf15f3b6d53881134df091f16d20560105fc4ac7e1
com.amazing.video.gp a37d8f00ff50e2c1165dc114f9502dafdd84fc52f29205472efef54a7e3b88fb
com.fine.photo.gp 6bc14ac543cbc1b9c4eb5a125aa84517adb652762d8d95353f5164f4a108beac
com.applocker.coldwar 73219d74eda86e9639f92e81e752e1dcbffd2e74663a7301a41dc19669032494
com.final.horosope 5a86af86732709e3aaaf8b8ddb830a756812cbe20bc4022cfad9be76bf821e09
com.gp.toolboxche 7f5b66ff4f565871dcc672a27c13acd035b35933e7d711187c27529854a0de18
com.prettygirl.newyear a5787c66adc9ee773273f069dddf8e1f8b643bbdd86f9854d0c8d01751b6ee1a
com.roy.cartoonwallpaper fb0620a976bffc5c98f27282c9d592c99a569401974f9019de9edafb175f7605
com.thebell.newcentury 072fb9ca16cddf5f0f94ffaf74586064dbca723e9b2e0213eafe0280ba1834a3
com.qwer.enjoy.enjoywallpaper ad30f477577706cb92670492e392cd2aa6922a40edcefd3b289f66616aec1b6c
com.file.manager.gp 9d11ac3f7abdcef5199688e8b5544c496e0828ad5401eb34b875ea8b5388790a
com.highfirst.fancylocker 500bd1e796febaeefdc7abefc71001316291c8fa1455b7d50d6daed065031783
com.tools.yidian 5d8f1e948f8ab78bad083710642857a806a1a66885317f54fde65710532ee572
com.bpmiddle.oneversion 9ccbbb86217f4e904b3539106674d58508af138c071c225a608465d5ae0b76d3
com.asdf.fg.hdwallpaper 1bd363aacd4e24efdb98667d65f834be2249b57313a5561e6ac4e4cdf6736046
com.qwer.enjoy.enjoywallpaper 421dfbe7382e99c25c610cabaff693a7a216a9a7c15ab7e48be4bc8bb4b0347d
com.asdf.fg.hdwallpaper daffefbb8a9a0b548dcef0633397d4e97b659b37c8f9ae36393c63f6f50a6b0f
com.constellation.prophecy 0c9e639cf879323c6a9b7a447468c2594a84723984348aafe0fed019615fd09b
com.defend.energy 90a40bdfc9482bc8aa7ca9437d6f718013549171f26a5ee32bfae8eaffbebf53
com.encryption.uae eb3b98af958afc6ee610a6876a72ad65cfb85bb43f92f1793799ea473838ba88
com.epic.awesome 93c6b242d3a4e29649ed8c099db9e6efa6a523dd9814e68c0c43d01cb3992abf
com.gb.toolbox 096b43e5c09782bf5da405e24b4ed6f40b8960bdddf8e827e8b895d012b5c7b1
com.gb.toolbox a8fb1da1a81996a88f657c5c648f359bf9f87cb23b8959636b3c336cbec168d4
com.gkt.horoscope.single001 26717c456300096d7eb4b90e0b88c0c4bee61254830dff4bf293c3f35cab3043
com.gkt.lookerplusaudi c1fe9b458009b09be44e350b8a5e7b2f8e45cf26503adb5d9c3d9da5be842980
com.gkt.lookerplusvip b91e6d4b80b8f4c90c35d5c9860fb9c70bff04568e444b1c091a2132b9e38083
com.gkt.lookerplusvip 881b72072cee5f1f9d820e1df68381056102fe70ca115450da50f090f793e6d7
com.gkt.mattoolbox 556f196fd150470b23c849d7ebe9fbe596356301516b4b9af3a08c38500c99b8
com.gkt.ondemand d3a3911f0f2cb93b490f50019b285330569c7f85dd67f8c11a796e651e378b7f
com.gkt.wallpapershdngp 49b95e3b5b7e29db3461f27ab67d5c825098cb8e1267ea5c4092d9354e91f695
com.gkt.widget.toolbox 1c396e902baf451eceea8f6be6d67b8dc8fa63fb43dc3a649297c6eb1cee9947
com.gkt.xwallpaper 932de0ad86bc0d6d7af2c48561688e31b5cc908d10c5d0d8c7a552f0782168fa
com.gkt.xwallpaper c99256d25b8fa363a4198e21b3fdd6b22cba9b1e5e7725195dea9f2efb3ac13a
com.gkt.xwallpaper 7dc920601d275bce7fa2417ca243b151b34705b7f01dafa3a4951798d60a3225
com.gkt.xwallpaper 60be6337a0c6bbcfef662a19ccaecd996565f629cc5305483bdb339dd3aa19d3
com.gkt.xwallpaper c0d9db2b8acd416d711688f9802ee574849937448778ad4ec5f66400e06463e2
com.gkt.xwallpaperngp 9c7e711d5e2226b389bcbc03fa3127b555da64e1a79f7b2b5a615b2332edb9b9
com.gp.toolboxche 01d765132b87a44382c7a837e0fa5b4a45a9a0918821e703f6224ab5b4d227d4
com.hunter.sky b4ec1d0828190f26b4376cb7c9a144803cf0c216e8caa29553b2b2ad2af073a0
com.hunter.sky 7bd64580fea02d36ac99a025246942d7d8aef856c57e029f01ceb891f0fab95e
com.inter.adtoolbox e3a3362ad7b4e2a8a350eff7a1b187dc2a72f7dd37b90d9ace1885290e1a491d
com.marvel.desktop a29fb4afa75b7b3e37d78375cd15893241ebe23358389d3ec70601a8828df078
com.newac.toolbox 1b319f2d599d90418a04695796c74a8a5cfd94a9b413c097b3f12c565779196a
com.newac.toolbox 4d88265ce65c5ff1a14f1ed57ac772165beeb4f66c3daa5be08a41ff07974bb6
com.newac.wallpaper a22c9b4690c567d7cbd4348ceb9d39ce4b564c94621b58875af68825928a86dd
com.newac.wallpaper c098a34e02c526b0b1368a4717f5ab3c7f3e7ec5f8dad5fcf011d132a1e8438d
com.newera.desktop 4a8d58ee5a305819febc2bc3ad910b104a4e45a6bd71592dad9daeb1a4d1291c
com.pl.toolbox c119f7724817ecd807fe57438a755030d89300af98099643472c12707d916147
com.pl.toolboxnrs 5dcc0e27e7a6a4a177d082938e7f57e873fa85dbde39b05aacc6de065c607957
com.supertoolbox.phone ec9680f1e9e465aff5b75f92458e3bd0c4c1449fc7ddcca5110920525b1994bd
com.supertoolbox.phone 5eb2cbe351610eac3965f925faefea257c969066cf5f003350e3e48f171a5fb1
com.taskmanager.phone 25d4cd3c5a55c2aef1e42242748346cfba7290362d115c5edb513039713ff70e
com.westworld.awesome 4a7b3e40f087ce1dd0d75dac7332ec563c6e3dc0a6df73338e2ad059383ed5cb
com.yeahmobi.horoscope 9cbab54245317a91f8014049a4b0a4f2c87d7e0ac5e3f273942fdd37451dabc0
com.yeahmobi.horoscope 85f747cacd970ec1b368e15dbc2d0a8783519130cab7d4b2895239c2ed03989b
com.yeahmobi.horoscope 0ff4e93d4458454977cb1aacf18b22ffcbc795ffb2bfaeb2a8163eeb66b572fe
com.yeahmobi.horoscope f5ed82957d6d66006fe08448f102aa8dc972ad2886c15f6007e34ba63865f161
com.yeahmobi.horoscopegpadap 802283041896d832d76f2cdf2ced421c886a3021994781e6951922fa895543b6
com.yeahmobi.horoscopegpadap 30b5897e5ed29c139145cc32d353498cca005479df3c8e8f6344a909b81156c4
com.yeahmobi.horoscopeinter 6156bf02ae516c1d01c9914c2a917d7b41ebfb20b8a500768e7276a6c12dae71
com.yeahmobi.horoscopeinter 80a214939bb30b0dff31dd752c87daf92b24d55913a5cd5826c84d35985dc0e3
com.yeahmobi.horoscopeinter f9e91851f0ae459f3a332c831b375422db323000aa1002d2470163725b5d69cc
com.yeahmobi.horoscopeinter c2676cee80c2b35b449f1c95f2d9e3c9e60ad71a3caf6f10cf9e09fc813e52eb
com.yeahmobi.horoscopeinter f83b213beb879a35119a69d0cc3b0c2be47508f48258fcd36036a1151bc238a3
com.yeahmobi.myinfobip e65d5fd6f2afd71667abfe9cc873f8c36501c3a79adc33602c02f79b15548733
com.ymo.ab 7f8be872dc2b093b7eb84fe6499f98cf6ed5af7fb9b0b347e0604a5332499990
com.ymo.ab 1a94b57a153e2ef5d5e6d71dcf7c8ae21f72df0c70154bd14b381afca3855142
com.amazing.video.gp fb065942726f7e324770988b936e0429d1b5e1069aacce6824dca99dc489ea58
com.gkt.xwallpaper 59e85efc2e5842914c26234243658d00e3cb26cab354ac86f7d439baf429222e
com.joy.photo.gp.inter 7225d93ab97e9d08c027e0d531295f8f79f913b90994197e24a19c66cfccd5dd
com.fancy.camera.gp.inter dc2d8b3c4997f26e2599a8fc909ebd3ab79469d96e8758ae2981a36188f30484
com.amazing.photo.gp.inter dc795b18ce5b68e66e2ccf59bfda86a0359cc0531fc3cf825b8d763ac808f522
com.amazing.camera.ggi 527cb114eb4fab08e38cd55de7154aed37312ceb4b98bd01b2c388634bcb9525
com.super.wallpaper.gp.inter c66c6376e4d0972f32befb92b03bd437f90265c0213ac03e6f1b7b8b8cc9db2a
com.gkt.gamebar b23e7462c0a8cafe5d79d18752aae1fd81166cf78e3b1b5c6a803e55ef86f42b
com.replica.adventure.gp 7aeb35872b55782705e744b8ba754f50b2918f85e05a4ff687aa4746b56aeea4
com.gg.player.gp d5b0dc4b46d1826310def6853aa2801b827081242458ed05b09b23addeb43c6c
com.love.camera.gp 7d32f266cdc6fb9387916550c402baf35a77eeef0918ceabdd8d4e2a88f8481b
com.oneshot.beautify.gp 9ddcf5f5c58d53ea486c75439dd133b1d6ff5f62dd1966570e43dbd5c2be20f0
com.pretty.camera.gp 4f54f5ae1dd7bc5fb306f72edde9c13dfb24e37f5730f35eefc4f7d43f5af25d
com.cute.puzzle.gp 6bf25b5aed5b14f97c86d2db0be69a9f914cb159b94421ac9ce92974ca589815
com.funny.video.gp 6b2415accc26f7e6ded836a33a1497b3391508fe56d6082e18210c43446f3491
com.ads.wowgames 79512771beb98bf6ae0cdd89a9c16ec16f2c610535b7e39ec60447b7e1113f4e
com.gkt.xwallpaper 80ae0e785b86b00be104befb4c566efbcec88bfe500e055b00a7df08acea7073
com.gkt.xwallpaper dda5ee7e5d35b39f591ebc40278f9bcc5abba88672892d3b4f69b6b50e98bee3
com.daily.ring.inter fd77703eab1769134c665430b30063bafbcfc4d42b13b0e4b6a2ea21d7911a5c
com.gkt.ringtone 2b212a529495f1d4ff3d0b320bdac72e0da9f5003496dace994ad79e09719ac7
com.gkt.xwallpaper 1bb0a4d166bd4ac59099cf9b541292e880ba26fa8ba900d87c721ef08d071860
com.ymbgkt.dlpayment.remote 230b177b4217d9c667bf3780795afd0e28739db039d8cb00d52e63bed3290938
com.gkt.ringtone dab648e36ff223afb0160c1945afb8f96b68421c77b16bb2e2e6e0605d910110
com.replica.adventure.gp 167f5a51faf4dba2c6fc99d6537a5229f2e62b3fc8b392512a8f5384653b9c5c
com.daily.ring.inter 46d67d8365c39463a759156100a11b476e624e2e08ade995507a665ceed3a28d
com.daily.ring.inter c2cd379f33088e04e586080c302587d5b271b2bd4766be7e048d1d92a427a931
com.daily.ring.inter 724f28da5ff8ce403402b35e06ae03f31ce664739b68082d215a450b184b54d8

POPULAR POSTS

BLOGS AND PUBLICATIONS

  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks