home_banner `

Content Icon

Beaver: Learning the Right Lessons from ExpensiveWall Android Malware

October 15, 2017 | Blog | Mobile Access and Device Management | By Kevin Beaver, IANS Faculty

IANS Faculty Kevin Beaver

Security vendor Check Point recently discovered a new type of malware running rampant across the Google Play Store. Dubbed ExpensiveWall, this malware masqueraded inside rogue wallpaper apps and monetized itself by sending illicit SMS messages and charging user accounts for fraudulent services. ExpensiveWall affected at least 50 apps on Google Play and is one of the largest Android-related exploits on record.

I’m normally not big on what I consider niche security flaws such as this. Instead of getting off in the weeds with every flaw/exploit on every platform like so many in our industry do, I find that mastering the basics and addressing the big stuff with tangible business consequences is a better strategy. A review of the recent Equifax and SEC breaches/debacles underscores the importance of this approach. Still, in the case of ExpensiveWall, there are some good lessons to be learned. The big question is: How is such malware even able to execute given the mobile security controls enterprises have at their disposal?

It starts with BYOD. Users being free to choose which mobile devices they use and how they use them facilitates many of the problems. This is exacerbated by no – or under-implemented – mobile device management or unified endpoint management controls. If users are not being set up for success through technical controls to help protect themselves from the bad decisions they’re making, the inevitable result is obvious. In too many situations, users are calling the shots and making decisions about security that they shouldn’t be involved in. They’re downloading random apps and, in the case of ExpensiveWall, they’re enabling dangerous permissions that give the criminals access to the mobile devices. Regardless of who owns them, users are essentially doing what they want, when they want on their devices. That doesn’t seem like a very solid (or defensible) approach.

Paper pushers will say, “We have a policy against this or that, so we’re safe.” My response is: Great, how’s it working for you? Policies, schmolicies. Top-notch security paperwork means very little. In the typical enterprise, users are completely out of the loop. They’re not being properly trained on what to do and what not to do. They’re not being set up for success in many situations and that’s on IT and security teams the business leaders put in charge.

The ExpensiveWall malware was removed pretty quickly from Google Play, but it showed back up again soon thereafter. Just because Google (or any vendor for that matter) removes rogue apps from their app store, it doesn’t mean your security problems are immediately solved. In fact, it’s likely the beginning, since malware has to be cleaned up (if you even know it’s there), expenses for illicit or bogus charges may have to be paid or reimbursed by the company, and formal incident response procedures may have to be invoked depending on the situation.

If you’re in charge of information security, you need to keep an eye on these threats. Like politics, if you don’t take interest in them, they’ll most definitely take an interest in you – and your business at some point. Sure, you can’t control every user and every device, but you can shore up the gaps that are in your environment right now. Figure out what they are, come up with a plan to address them, and see it through until the business risks are minimized. If a security incident still surfaces, at least you’ll know in good conscience that you’ve done what needed to be done in order to minimize its impact.


Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.

Related Research

Infosec in 2019: IANS Faculty Detail What to Expect

In this Topic Guide, IANS Faculty turn their attention to the critical information security issues facing enterprises in 2019. From automation, containerization and Office 365 mailbox compromise to privacy and leadership skills, IANS has you covered.

Using SMS as a Second Factor: Know the Issues

Many organizations use SMS/text as a second factor of authentication, but how secure is it? In this Ask-an-Expert written response, IANS Faculty Aaron Turner explains the three main vulnerabilities inherent in SMS and details steps to reduce the risk.

Infosec in 2019: What to Expect in Enterprise Mobile Security

As 2018 comes to a close, IANS Faculty turn their attention to the critical information security issues facing enterprises in 2019. In this report, IANS Faculty Aaron Turner examines the current state of mobile security, forecasts what to expect in 2019 and offers strategies for securing mobile in the coming year. 

Building a Better Mobile Security Strategy

Each IANS Topic Guide addresses a single information security issue from a planning, deployment and maintenance perspective. In this installment, we focus on mobile security.


We use cookies to deliver you the best experience on our website. By continuing to use our website, you consent to our cookie usage and revised Privacy Statement.