MobOk Malware Hides in Photo Editors on Google Play, Siphons Cash

mobok malware pink camera google play

Pink Camera apps secretly signed users up for premium subscription services.

A powerful money-siphoning malware known as MobOk has been found hiding in seemingly legitimate photo editing apps available on the Google Play store.

The Pink Camera and Pink Camera 2 apps, now removed, had been installed around 10,000 times, according to researchers at Kaspersky. They included genuine (though limited) photo-editing functionality, but also came with a highly dangerous backdoor that could offer the attacker almost complete control over an infected device.

“The apps were designed to steal personal data from victims and use that information to sign them up to paid subscription services,” explained Kaspersky researcher Igor Golovin, in a posting on Thursday. “As soon as users began editing their pictures using the Pink Camera apps, the apps requested access to notifications, which initiated the malicious activity in the background. Once a victim was infected, the MobOk malware collected device information, such as the associated phone number, in order to exploit this information in later stages of the attack.”

The apps also requested access to Wi-Fi controls and notifications — and kept asking until the user said “yes.” Next, while a victim was manipulating a photo, the app collected information in the background about the device and sent it to the command-and-control (C2) server.

Click to enlarge.

In the later attack stages, MobOk turned off Wi-Fi on the user’s phone, thereby activating mobile data for connectivity. From there, the attackers signed the victim up for paid online subscription services that they had in fact set up. The charges are made directly to a user’s phone bill, rather than to a credit or debit card – a model that’s routinely abused by cybercriminals, Golovin said.

“The malware opened the subscription service webpages, acting like a secret background browser,” he explained. “Using the phone number previously extracted, the malware inserted it into the ‘subscribe’ field and confirmed the purchase. Since it had full control over the device and was able to check notifications, the malware would enter the SMS confirmation code when it came through – all without alerting the user.”

Further, if the subscription page was CAPTCHA-protected, the app used the image recognition service chaojiying[.], which automatically inserts the result into the relevant field on the page.

From there, the attackers sat back and collected the money, until the victim spotted the payments on the phone bill and unsubscribed the offending service.

“The Pink Cameras’ photo editing capability was not very impressive, but what they could do behind the scenes was remarkable: subscribing people to malicious, money-draining services in Russian, English and Thai; monitoring SMS; and requesting CAPTCHA recognition from online services,” Golovin said. “This means that they also had the potential to steal money from victims’ bank accounts. Our theory is that the attackers behind these apps created both the subscription services, not all of which were genuine, and the malware that hooked subscribers, and designed them to reach an international audience.”

Suggested articles