Etinu

Billing fraud trojan discovered by McAfee on Google Play in 2021 with 700,000+ downloads. Etinu hijacked Android's Notification Listener to steal SMS messages without needing SMS read permissions, then used the intercepted messages to create auto-renewing premium subscriptions without user knowledge. Used multi-stage dynamic code loading with encrypted payloads hidden in the assets folder.

Overview

Property	Value
First Seen	2021
Type	Billing fraud / Premium subscription trojan
Attribution	Unknown
Aliases	Android/Etinu (McAfee)

Distribution

Google Play Store. Submitted clean versions for review, then pushed malicious code via updates. Posed as photo editors, wallpapers, puzzles, keyboard skins, camera apps. 700,000+ downloads before removal.

Capabilities

Capability	Implementation
Notification hijacking	Used Notification Listener to steal SMS content without SMS permissions
Premium subscription fraud	Created auto-renewing subscriptions without user knowledge
Dynamic code loading	Multi-stage payload: encrypted files in assets as "cache.bin", "settings.bin", "data.droid", ".png"
Payload decryption	Decrypted "1.png" to "loader.dex" which loaded the final payload
Data exfiltration	Carrier info, phone number, SMS content, IP address, country, network status

Target Regions

Southwest Asia and Arabian Peninsula.

Significance

Etinu is part of the broader Joker malware ecosystem, sharing the Notification Listener hijacking technique for SMS interception without SMS permissions. This approach bypasses Google Play's restrictions on SMS permission grants while still enabling subscription fraud.

References

• McAfee Labs: Clever Billing Fraud Applications on Google Play: Etinu
• The Hacker News: 750,000 Users Download New Billing Fraud Apps