Cámara Visión Nocturna (CVN app) is a free night vision camera app for Android smartphones that, while performing the job of creating over saturated bad images of dark rooms, was also charging users up to €36 (R535) a month. In a blog post from the VirusLab team at Avast details how they discovered the rogue villainy that had cost users a rather serious amount of money.
The key to the discovery was a set of rather strange permissions that the app requested when it was first installed, including the ability to send and receive SMS messages, which is what tipped off researchers Chrysaidos Nikolaos and Filip Chytry to the problem.
Once installed CVN app would go through a list of chat apps most likely to be found on anyone’s smartphone including WhatsApp, ChatOn and Telegram and scrape them for your phone number which they all require to authenticate against your account. The CVN app would then send your phone number to a server which would register it for a premium SMS service, much like the ones that offer ringtones and games for a R15 a week subscription fee that we see often in South Africa. Once your number is subscribed it would charge your phone account €2 (around R30) up to a maximim of 18 times (€36) before the service would time out.
Avast says that it has, of course, already added the code that the application uses to its list of malware signatures which would prevent users of the company’s free Android Mobile Security & Antivirus from encountering the problem in the first place. The moral of the story however is to be careful about what permissions an application requests when you install it on your Android device.
[Source: Avast blog]