At the time of detection, the apps, titled ‘Pink Camera’ and ‘Pink Camera 2’ had been installed around 10,000 times. The apps were designed to steal personal information from victims and use that to sign them up to paid subscription services. Victims only discovered they’d been hit when they saw unexpected costs on their mobile services bill. The apps have now removed from the Google Play store and are no longer available.
The MobOk malware is a backdoor, one of the most dangerous types of malware, because it offers the attacker almost complete control over the infected device. Despite the fact that content uploaded to Google Play is thoroughly filtered, this is not the first time that threats have made their way onto users’ devices. In many cases, backdoors are covered by a semi-functioning app, which appears at first glance to be a poor, but innocent attempt to create a legitimate app. For this reason, the Pink Camera apps didn’t arouse suspicion, because they included genuine photo editing functionality and had been downloaed from the trusted Google Play store.
However, as soon as users started to edit their pictures using the Pink Camera apps, the apps requested access to notifications and this initiated the malicious activity in the background. The aim of this activity was to subscribe the user to paid mobile subscription services. These usually look like web-pages offering a service in exchange for a daily payment that is charged to the mobile phone bill. This payment model was originally developed by mobile network operators to make it easier for customers to subscribe to premium services, but it is now sometimes abused by cyberattackers.
Once a victim was infected, the MobOk malware would collect device information such as the associated phone number, in order to exploit this information in later stages of the attack. The attackers then sent details of web-pages with paid subscription services to the infected device and the malware would open them, acting like a secret background browser. Using the phone number extracted earlier, the malware would insert it into the “subscribe” field and confirm the purchase. Since it had full control over the device and was able to check notifications, the malware would enter the SMS confirmation code when it came in – all without alerting the user. The victim would start to incur costs and continue to do so until they spotted the payments in their phone bill and unsubscribed to each service.
“The Pink Cameras’ photo editing capability was not very impressive, but what they could do behind the scenes was remarkable: subscribing people to malicious, money-draining services in Russian, English and Thai, monitoring SMS and requesting Captcha - the code that you need to write down to prove you are not a robot - recognition from online services. This means that they also had the potential to steal money from victims’ bank accounts. Our theory is that the attackers behind these apps created both the subscription services, not all of which were genuine, and the malware that hooked subscribers, and designed them to reach an international audience,” - said Igor Golovin, security researcher at Kaspersky.
Read the full report on Securelist.com
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.