Kaspersky experts have discovered the money-stealing malware MobOk hiding within seemingly legitimate photo editing apps available on the Google Play store. At the time of detection, the apps, titled ‘Pink Camera’ and ‘Pink Camera 2’ had been installed around 10,000 times. The apps were designed to steal personal information from victims and use that to sign them up to paid subscription services. Victims only discovered they’d been hit when they saw unexpected costs on their mobile services bill. The apps have now removed from the Google Play store and are no longer available. This is a huge cyber security vulnerability for a growing threat.
The MobOk malware is a backdoor, one of the most dangerous types of malware, because it offers the attacker almost complete control over the infected device. Despite the fact that content uploaded to Google Play is thoroughly filtered, this is not the first time that threats have made their way onto users’ devices. In many cases, backdoors are covered by a semi-functioning app, which appears at first glance to be a poor, but innocent attempt to create a legitimate app. For this reason, the Pink Camera apps didn’t arouse suspicion, because they included genuine photo editing functionality and had been downloaed from the trusted Google Play store.
To avoid falling victim to malicious apps, Kaspersky researchers advise users to:
- Remember that even a trustworthy source, such as an official app store, can contain dangerous apps. Be vigilant and always check application permissions to see everything that installed apps are allowed to do. Check the app ratings and reviews on official stores, such as Google Play or the App Store. Malicious apps will sometimes receive low ratings and users will post comments that warn others about the risk of malware If you are about to install such an app – pay extra attention to its permission requests.
- Install system and application updates as soon as they are available — they patch vulnerabilities and keep devices protected.
- Use a reliable security solution for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud
However, as soon as users started to edit their pictures using the Pink Camera apps, the apps requested access to notifications and this initiated the malicious activity in the background. The aim of this activity was to subscribe the user to paid mobile subscription services. These usually look like web-pages offering a service in exchange for a daily payment that is charged to the mobile phone bill. This payment model was originally developed by mobile network operators to make it easier for customers to subscribe to premium services, but it is now sometimes abused by cyberattackers.
Once a victim was infected, the MobOk malware would collect device information such as the associated phone number, in order to exploit this information in later stages of the attack. The attackers then sent details of web-pages with paid subscription services to the infected device and the malware would open them, acting like a secret background browser. Using the phone number extracted earlier, the malware would insert it into the “subscribe” field and confirm the purchase. Since it had full control over the device and was able to check notifications, the malware would enter the SMS confirmation code when it came in – all without alerting the user. The victim would start to incur costs and continue to do so until they spotted the payments in their phone bill and unsubscribed to each service.
“The Pink Cameras’ photo editing capability was not very impressive, but what they could do behind the scenes was remarkable: subscribing people to malicious, money-draining services in Russian, English and Thai, monitoring SMS and requesting Captcha – the code that you need to write down to prove you are not a robot – recognition from online services. This means that they also had the potential to steal money from victims’ bank accounts. Our theory is that the attackers behind these apps created both the subscription services, not all of which were genuine, and the malware that hooked subscribers, and designed them to reach an international audience,” said Igor Golovin, security researcher at Kaspersky.
Kaspersky Lab detects the MobOk malware as HEUR:Trojan.AndroidOS.MobOk.a