Hidden Malware in Android App Drained Money By Automatically Subscribing Users To Paid Services

Share On Facebook
Share On Twitter
Share On Linkedin
Share On Pinterest
Share On Reddit
Share On Stumbleupon

Pink Camera and Pink Camera 2, a pair of legitimately popular photo editing app found to be using integrated malware to siphon money from its users mobile account. The integrated malware namely MobOk automatically subscribe users to illegitimate services by making fully automated payment from users mobile account. Both the app has been now removed from Play Store by Google after their misadventure has been discovered and reported by a security researcher from Kaspersky Lab, Igor Golovin. As accused by Igor, “The apps were designed to steal personal data from victims and use that information to sign them up to paid subscription services. As soon as users began editing their pictures using the Pink Camera apps, the apps requested access to notifications, which initiated the malicious activity in the background. Once a victim was infected, the MobOk malware collected device information, such as the associated phone number, in order to exploit this information in later stages of the attack.”

After installation the app kept asking for Wi-Fi control and notifications until users said “Yes”. After that when users kept using the app, it collected information in the background and let sending to its CnC server. In the later stage of the attack the malware MobOk turned off Wi-Fi there by activating mobile data for connectivity. Then it turn on browser secretly in the background to complete the subscription process without getting visible to users.

“The malware opened the subscription service webpages, acting like a secret background browser,” Igor explained “Using the phone number previously extracted, the malware inserted it into the ‘subscribe’ field and confirmed the purchase. Since it had full control over the device and was able to check notifications, the malware would enter the SMS confirmation code when it came through – all without alerting the user.”

Further, if the subscription page was CAPTCHA-protected, the app used Chaojiying, a popular image recognition service, which automatically inserts the result into the captcha entry field on the page. The subscription is supposed to continue and draining money from the affected mobile account until the users spotted the payment on their phone bill and manually unsubscribe from the service. Even then the app would resubscribe the user by repeating the whole process in the background as the attacker would get notified about the unsubscribing event by the subscription service system.

Earlier in this year (in April) BuzzFeed News reported about a number of apps developed by DU group on Play Store being fraudulent. The largest among those were the very popular Selfie Camera App which had over 50 millions download on Play Store.  Check Point, an Ad fraud researcher, discovered that the app had a malicious code because of which the app automatically clicks on advertisements without users’ consent. At the same time the apps was gathering users device usage information and sending them back to their CnC server in China. The other apps which were found involved in the ad fraud scandal are RAM Master, Omni Cleaner, Total Cleaner, Smart Cleaner and AIO Flashlight, all published by DU group, partially owned by Baidu, one of the largest multinational tech giant of China.