Dangerous SMS Malware “ExpensiveWall” Has Infected 4.2 Million Android Devices

Dangerous SMS Malware “ExpensiveWall” Has Infected 4.2 Million Android Devices

A new SMS malware is making its way through the Android community. The so-called “ExpensiveWall” malware was downloaded up to 4.2 million times from the Google Play Store before the infected apps were removed.

The malware sent premium SMS messages for fake fee-based services without the knowledge or permission of users. Users would download a seemingly innocent app, only to discover enormous charges on their next phone bill. The malware silently sent SMS messages to premium numbers, and users would pay anywhere from $1 to $10 per message – which is where the name “ExpensiveWall” came from.

The malware was spotted in 50 Android apps listed on the Google Play Store. One of the most popular apps used by the SMS tracking software was an Android wallpaper app called Lovely Wallpaper.

Across all 50 apps, there were an estimated 1 million to 4.2 million downloads for ExpensiveWall-infected apps. However, the total number of downloads for this year is much higher:

“ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times”, wrote Check Point researchers in a blog post discussing the technical details of the malware.

This Latest Version is More Advanced Than Any Before

The latest iteration of ExpensiveWall is more advanced than previous members of the family.

That’s because this version uses a type of advanced obfuscation technique called “packed”, where malicious programs are compressed and encrypted to avoid detection.

In layman’s terms, packing involves squeezing and password-protecting dangerous malware into a tiny file. Antivirus scanners have difficulty unpacking that file, so it passes undetected through scanners.

Google Has Unsuccessfully Tried to Ban the Malware Before

One of the most worrying parts about the ExpensiveWall SMS tracker is that Google has unsuccessfully tried to remove it from the app store before.

Google was notified of this latest infection on August 7, and promptly removed the infected apps. However, the malware re-emerged on the Google Play Store days later on a new, unidentified app, Check Point researchers reported. Because of this re-emergence, an additional 5,000 devices were infected before the new app was removed 4 days later.

Google has been battling rogue Android apps all year. An increasing number of malicious apps seem to be breaking through Google’s “walled garden” and making their way onto the handsets of users.

For years, the best way to avoid Android malware was to avoid downloading apps from outside the Google Play Store. Now, based on this latest malware attack, users have to be careful even when downloading apps from the Google Play Store.

How ExpensiveWall Works

If you’ve downloaded a suspicious app lately – including the popular Lovely Wallpaper app mentioned above – then you need to remove the app as soon as possible.

The malware goes to work quickly. Once you’ve installed an infected app, the app will request several device permissions – including internet access. This allows the app to connect to a command and controller (C&C) server.

The app will also request SMS permissions, which allows it to send and receive SMS messages on your behalf. Once you’ve granted this permission, the app will begin sending messages to premium numbers.

One of the sneakiest parts about the ExpensiveWall SMS tracking app is that the permissions aren’t outlandish. Many people don’t think twice when an app asks for internet access, for example.


In any case, SMS tracking apps like ExpensiveWall have been popping up throughout the year. Be extra cautious when downloading apps from the Google Play Store in the future. In the meantime, you can download a legitimate, easy-to-use, and legal SMS tracking app like SpyStealth to use today.