![\"trojansms_googlesearchapp\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_GoogleSearchApp.png\")
\nThe app seems popular on Google Play, with more than one million downloads yet an unusual low rating (3.5 out of 5):<\/p>\n
![\"trojansms_i_love_filter\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_I_Love_Filter.png\")
\nAnother warning flag raised by this app is that the application name \u201cI Love Filter\u201d does not correspond to the application name in the banner \u201cWonderful Cam.\u201d Looking at user reviews, we found some hints as to its low ratings from so many people:<\/p>\n
![\"trojansms_ratingandreviews\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_RatingAndReviews-248x300.png\")
\nOne review says the app makes money from your messages, suggesting the app is in fact an SMS Trojan, one of the oldest and most profitable threats to mobile devices. This type of malware sends SMS (text) messages to premium-rate numbers and charges the user for a specific service. In some cases, instead of charging for each SMS sent, the user is subscribed to a service that continuously charges until a message is submitted to cancel the subscription. After we downloaded and installed this suspect app, we confirmed that app demands permission to send SMS. There is also a typo in the application name (Fliter), which makes it even more suspicious:<\/p>\n
![\"trojansms_appinfo\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_AppInfo.png\")
\nOnce the app is executed, our suspicions are confirmed:<\/p>\n
![\"trojansms_premiumservice\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_PremiumService-169x300.png\")
\nAs soon as the app is opened, it loads a website to subscribe the user to a premium service once the user clicks on the \u201cContinue\u201d button. The “good” news is that rather than subscribing the user automatically in the background, the app explains the cost of each SMS and, more important, how the user can stop the service. The bad news is that if the user does not pay, the application cannot be used.<\/p>\n
Does this behavior mean that the developer is offering the app as free but then tries to charge the user to use the app? Not really. Looking at the decompiled source code of \u201cI Love Filter,\u201d we see that com.star.trek is in fact the free legitimate app Retro Live infected with Trojan code to charge the user via SMS messages:<\/p>\n
![\"trojansms_retrolive\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_RetroLive-300x247.png\")
\nRetro Live is currently not available on Google Play, although this is not the first time that it is being used to make a profit on Google Play. At least three other Trojanized Retro Live apps have been identified, and are currently available only on third-party sites:<\/p>\n
![\"trojansms_otherapps\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_OtherApps-185x300.png\")
\nIn the case of Beautiful Photo, and unlike I Love Filter, the terms and conditions are not so clear and are not even in English, which could lead some to click \u201cSetup\u201d without paying attention to the other text and thus subscribe the user to an unwanted premium-rate service:<\/p>\n
![\"trojansms_premiumservice2\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_PremiumService2-169x300.png\")
\nIn addition to the SMS subscription function, the injected code also leaks device and user information, including the phone number, GPS location, installed apps, and IP address:<\/p>\n
![\"trojansms_userinfoupload\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_UserInfoUpload.png\")
\nThe malware can also download and install applications:<\/p>\n
![\"trojansms_downloadandinstall\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_DownloadAndInstall.png\")
\nIn previous years Android has introduced security measures to protect users against SMS Trojans. Since Android 4.2 (Jelly Bean), the operating system has displayed a pop-up message to inform users that an app is trying to send an SMS message to a premium short number and ask for confirmation. In Android 4.4 (KitKat) Google introduced the concept of a default SMS app that limits the ability of malware to silently intercept incoming SMS messages. Nevertheless, malware authors have found ways to overcome some restrictions: In the following case the malware mutes the incoming SMS alert notification to avoid alerting the user that a confirmation message has arrived:<\/p>\n
![\"trojansms_silentmode\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/TrojanSMS_silentMode.png\")
\nAlthough SMS Trojans are not as popular as earlier in Android’s career, Trojanized apps with injected code to subscribe users to premium services remain an easy way for malware authors to profit in a restricted environment like Google Play. Users may think they are paying for a legitimate app while in fact subscribing to a service that needs a specific SMS to make it stop. Another risk lies in children downloading, installing, and executing apps, while clicking on confirmation messages that could result in charges.<\/p>\n
We have reported the \u201cI Love Filter\u201d app to Google and it should be removed soon. To protect yourselves from this threat, employ security software on your mobile devices, check user reviews for apps on Google Play, and do not accept or trust apps that ask for payment functionality via SMS messages as soon as the app is opened.<\/p>\n