A powerful money-eating malware called MobOk has been found to be hidden within legitimate photo editing apps on Google Play store.
Researchers at Kaspersky said the Pink Camera and Pink Camera 2 apps, which have now been now removed, were installed around 10,000 times. They included genuine photo-editing functionalities, but also came with a highly dangerous flaw that provided attackers almost complete control over an infected device.
“The apps were designed to steal personal data from victims and use that information to sign them up to paid subscription services,” explained a Kaspersky researcher. “As soon as users began editing their pictures using the Pink Camera apps, the apps requested access to notifications, which initiated the malicious activity in the background. Once a victim was infected, the MobOk malware collected device information, such as the associated phone number, in order to exploit this information in later stages of the attack.”
The apps also requested access to Wi-Fi controls and notifications — and kept asking until the user said “yes.” Then, while a victim was manipulating a photo, the app collected information in the background about the device and sent it to the command-and-control (C2) server. In the later attack stages, MobOk turned off Wi-Fi on the user’s phone, thereby activating mobile data for connectivity. From there, the attackers signed the victim up for paid online subscription services that they had in fact set up. The charges are made directly to a user’s phone bill, rather than to a credit or debit card, the researcher said.
The malware opened the subscription service webpages, acting like a secret background browser,” he explained. “Using the phone number previously extracted, the malware inserted it into the ‘subscribe’ field and confirmed the purchase. Since it had full control over the device and was able to check notifications, the malware would enter the SMS confirmation code when it came through – all without alerting the user.”
Further, if the subscription page was CAPTCHA-protected, the app used the image recognition service chaojiying[.], which automatically inserts the result into the relevant field on the page. From there, the attackers sat back and collected the money, until the victim spotted the payments on the phone bill and unsubscribed the offending service.