Woburn, MA – June 20, 2019Kaspersky experts have discovered the money-stealing MobOk malware hiding within seemingly legitimate photo editing apps available on the Google Play store. The apps, titled ‘Pink Camera’ and ‘Pink Camera 2,’ had been installed around 10,000 times at the time of detection, and they have now been removed from the Google Play store. The apps were designed to steal personal data from victims and use that information to sign them up to paid subscription services.

The MobOk malware is a highly dangerous backdoor, as it can offer the attacker almost complete control over an infected device. Although content uploaded to Google Play is thoroughly filtered, this is not the first time that these kinds of threats have made their way onto users’ devices through the online store. In many cases, malware is concealed by a semi-functioning app, which appears at first glance to be a poor, but innocent attempt to create a legitimate app. Likewise, the Pink Camera apps did not arouse suspicion because they included genuine photo editing functionality and had been downloaded from the trusted Google Play store.

However, as soon as users began editing their pictures using the Pink Camera apps, the apps requested access to notifications, which initiated the malicious activity in the background. Once a victim was infected, the MobOk malware collected device information, such as the associated phone number, in order to exploit this information in later stages of the attack.

The attackers then sent details of webpages offering paid subscription services to the infected device. With this kind of service, charges are made directly to a user’s phone bill, rather than to a credit or debit card. This payment model was originally developed by mobile network operators to make it easier for customers to subscribe to premium services, but it is now often abused by cybercriminals.

The malware opened the subscription service webpages, acting like a secret background browser. Using the phone number previously extracted, the malware inserted it into the “subscribe” field and confirm the purchase. Since it had full control over the device and was able to check notifications, the malware would enter the SMS confirmation code when it came through – all without alerting the user. The victim would later start to incur costs and continue to do so until they spotted the payments in their phone bill and unsubscribed to each service.

“The Pink Cameras’ photo editing capability was not very impressive, but what they could do behind the scenes was remarkable: subscribing people to malicious, money-draining services in Russian, English and Thai; monitoring SMS; and requesting Captcha recognition from online services,” said Igor Golovin, security researcher at Kaspersky. “This means that they also had the potential to steal money from victims’ bank accounts. Our theory is that the attackers behind these apps created both the subscription services, not all of which were genuine, and the malware that hooked subscribers, and designed them to reach an international audience.”

To avoid falling victim to malicious apps, Kaspersky researchers advise consumers to:

  • Remember that even a trustworthy source, such as an official app store, can contain dangerous apps. Be vigilant and always review application permissions during install. Check the app ratings and reviews on official stores, such as Google Play or the App Store. Malicious apps will sometimes receive low ratings and users will post comments that warn others about the risk of malware. If you are about to install such an app, pay extra attention to its permission requests.
  • Install system and application updates as soon as they are available — they patch vulnerabilities and keep devices protected.
  • Use a reliable security solution for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud.

 Read the full report on Securelist.com.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Media Contact
Meghan Rimol
781.503.2671
meghan.rimol@kaspersky.com 

Fake Photo Editing Apps on Google Play Hid Powerful MobOk Backdoor

Malware designed to steal users’ information in order to subscribe to paid mobile services
Kaspersky Logo