A newfound malware is wreaking havoc on Android devices, secretly downloading paid apps in the background.

The Android malware dubbed as “Trojan!MMarketPay.A@Android” was first discovered by TrustGo early July.  The security company discovered that the malware downloads paid apps and contents from Mobile Market, the Android market of China Mobile, one of the world’s largest network carrier, which could lead to sky-high phone bills.

According to TrustGo, the trojan may arrive repackaged apps with the following names:

• com.mediawoz.goweather
• com.mediawoz.gotq
• com.mediawoz.gotq1
• cn.itkt.travelskygo
• cn.itkt.travelsky
• com.funinhand.weibo
• sina.mobile.tianqitong
• com.estrongs.android.pop

The virus already found its way to nine Android markets in China namely nDuoa, GFan, AppChina, LIQU, ANFONE, Soft.3g.cn,TalkPhone, 159.com, and AZ4SD.

How the Trojan infects Android

The Mobile Market hosts both paid and free apps as well as multimedia content.  When a user wants to download apps or content, they login at Mobile Market’s website but no login is required if they use CMWAP as Access Point.  When a customer purchases an app, Mobile Market will send a verification code via SMS to the user which will then be keyed in Mobile Market to verify the purchase.  Once verification is done, the app will be downloaded in the user’s mobile device automatically and the amount will be added to the user’s monthly phone bill.

The Trojan!MMarketPay.A@Android automatically downloads paid apps and content by changing the APN to CMWAP without the user’s knowledge then simulating the steps, and intercepting the verification SMS sent by Mobile Market.

Everything happens in the background – you won’t even know that it’s actually happening.  If a CAPTCHA image is invoked, it will post the image to a remote server to analyze the verification code then send the verification back to Mobile Market.  Download will begin and the clueless consumer gets charged.

So if you’re an Android user in China, better check your phone bill by calling your service provider.  Over 100,000 Android devices are said to be already infected by the Trojan!MMarketPay.A@Android.

And as always, we urge consumers to download apps/contents only from legitimate Android stores like Google Play.  If your device doesn’t have access to Google Play, better install a mean antivirus to thwart malicious attacks.