Go to listing page

AsiaHitGroup targets Android users with Sonvpay malware in new billing fraud campaign

AsiaHitGroup targets Android users with Sonvpay malware in new billing fraud campaign

Android users have been hit with a new billing fraud campaign launched by the hacker group AsiaHitGroup. The hacker group has been using the Sonvpay malware as part of a new campaign to infect Android apps, allowing hackers to harvest billing information from victims.

According to security researchers at McAfee, the new campaign is an example of how cybercriminals find innovative methods to steal money from victims using vulnerable or malicious apps.

AsiaHitGroup’s malicious mobile activities

AsiaHitGroup hackers have been active since 2016. The group has been involved in similar mobile billing fraud campaigns in 2016 and 2017 and has since upgraded both its campaign and the Sonvpay malware.

During AsiaHitGtoup’s 2016 campaign, the hackers attempted to charge around 20,000 victims, located mainly in Thailand and Malaysia, for downloading copies of popular apps. In their 2017 campaign the hackers used IP address geolocation to check the country of the victim. The hackers also expanded their campaign by adding Russian victims, likely in efforts to continue stealing from a wider array of victims.

The AsiaHitGroup’s latest mobile billing fraud campaign began in January 2018 which saw hackers repackage the Sonvpay malware to use silent push notifications to trigger a fake update dialogue.

Modus Operandi

The hacker group’s latest campaign, like its previous ones, focused on attempting to dupe victims into paying for popular apps. The hackers used Sonvpay to trigger a fake update, which when clicked on, automatically subscribed victims to a premium-rate service.

This subscription does not rely on SMS notifications, instead operating mainly via WAP billing. In other words, attackers only require victims to use their mobile networks to access a particular website and the subscription process is established.


AsiaHitGroup’s latest campaign saw around 15 apps on Google Play infected by the Sonvpay malware, including the infamous Despacito ringtone app thatrose to popularity after the Despacito song became a smash-hit. McAfee researchers believe that these 15 apps were downloaded at least 50,000 times, helping the hackers rake in thousands.

“Based on the approximate number of installations from Google Play, the cost of the premium-service subscription, and the days that these apps were available, we estimate that the AsiaHitGroup Gang could have potentially earned between $60,500–$145,000 since January,” McAfee researchers wrote in a blog.

Who was targeted?

According to McAfee researchers, the AsiaHitGroup hackers have targeted Russia, Thailand and Malaysia in earlier campaigns. However, the 2018 campaign saw hackers target victims in Malaysia and Kazakhstan. Researchers also believe that the campaign’s infrastructure can be updated fairly easily to begin targeting victims in other countries as well.

“Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits. The campaigns started in late 2016 with very simple fake installers that charged users for copies of popular apps,” McAfee researchers said.

“In late 2017, Google Play apps abused WAP-billing services and used IP address geolocation to target specific countries. In 2018, Google Play apps used silent background push notifications to trigger the display of a fake update message and to gather data for mobile billing fraud.

“We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world.”

Cyware Publisher