At this year's I/O, Google announced Play Protect, a user-facing security screening process for apps on Android phones based on the old Verify Apps. Basically, it scans apps you install, comparing their content against known malware components, and notifies you if any potential risks are found. And it turns out, it's not infallible, as an older "packed" malware package was able to trick it. 

The folks over at Check Point identified a "packed" malware they're calling ExpensiveWall, after an app containing the malware called "Lovely Wallpaper." It surreptitiously registers users for premium services via SMS, charging their accounts for services they don't want, and which the malware creators profit from. However, according to Check Point, the malware could be used for even more dangerous actions like data theft or remotely capturing media.

One of the services the malware subscribes users to, image via Check Point.

To oversimplify the process: apps with ExpensiveWall request internet and SMS permissions, connect to a remote server at regular intervals, and run what is sent to it by the server in an embedded WebView. If you follow Android security, this might all sound a bit familiar, and that's because it's basically identical to another piece of malware discovered earlier this year. According to Check Point, Play Protect was configured to detect this malware previously, but it's now been "packed" to fool the existing checks.

Packing, in this instance, is effectively another name for obfuscation, which is a method used by software developers to hide the intended functionality of a piece of software. The obfuscation in this case was significant enough to fool the automated systems in Google's Play Protect, to the tune of 5 to 20 million infections across all the affected apps on Google Play.

Check Point made no mention of communications to Google about this new malware variant, but I expect that the offending applications will be removed, and that Play Protect will be updated to catch the "packed" malware. But it's probably just a matter of time until more obfuscated malware like ExpensiveWall is discovered.