Android Users Hit With Mobile Billing Fraud Due to Sonvpay Malware

Ever hear “Despacito” on the radio? Of course you did! It was the song of 2017 – taking over radios, dance clubs, and even ringtones on our cell phones. Take Android users for instance – many even downloaded the “Despacito for Ringtone” so they could enjoy the tune anytime they received a phone call. But what they didn’t know is that they could be involved in a cyberattack, rather than just listening to their favorite song. As a matter of fact, our McAfee Mobile Research team has found a new malicious campaign, named Sonvpay, that’s impacted at least 15 apps published on Google Play – including that Despacito app.

How it works

You know how with some of your apps you can adjust the push notifications? Sometimes these notifications pop up on your screen, and other times you won’t receive any – depending on your settings. To enact its malicious scheme, Sonvpay listens for incoming push notifications that contain the data they need in order to perform mobile billing fraud – which is when extra charges get added to a user’s phone bill and can potentially line a cybercriminal’s pocket.

Once receiving the data, the crooks can perform this mobile billing fraud (either WAP and SMS fraud) by displaying a fake update notification to the user. This fake notification has only one red flag – if the user scrolls until the end, the phrase “Click Skip is to agree” appears, as seen below.

If the user clicks the only button (Skip), Sonvpay will complete its mission – and will fraudulently subscribe the user to a WAP or SMS billing service, depending on the victim’s country.

What it affects

So which Android applications contain Sonvpay? The McAfee Mobile Research team initially found that Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone were carrying the Sonvpay, and Google promptly took them down once notified. But then more emerged, totaling up to 15 applications out there that contain Sonvpay, some of which have been installed over 50,000 times. These applications include:


Cut Ringtones 2018


Qrcode Scanner

QRCodeBar Scanner APK

Despacito Ringtone

Let me love you ringtone

Beauty camera-Photo editor


Night light


Shape of you ringtone

Despacito for Ringtone

Iphone Ringtone


So now the next question is – what do I do if I was one of the Android users who downloaded an application with Sonvpay? How can I avoid becoming a victim of this scam? Start by following these tips:

  • Only give your apps permission to what they need. When downloading one of these applications, one user reported they noticed that the app asked for access to SMS messages. This should’ve been a red flag – why would a ringtone app need access to your texts? Whenever you download an app, always double check what it’s requesting access to, and only provide access to areas it absolutely needs in order to provide its service.
  • Always read the fine print. Before you update or download anything, always make sure you scroll through all the information provided and read through it line by line. This may feel tedious, but it could be the difference between being compromised and remaining secure.
  • Use a mobile security solution. As schemes like Sonvpay continue to impact mobile applications and users, make sure your devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Mobile Security

Back to top