• The malicious ‘Yellow Camera’ app targets users in Southeast Asian countries such as Thailand and Malaysia.
  • However, this fake photo beautification app has been removed from the Google Play Store.

What is the problem?

Researchers from Trend Micro have uncovered a new malicious photo beautification/editing app named ‘Yellow Camera’ on Google Play that is capable of reading SMS verification codes from System Notifications. This allows the app to activate the Wireless Application Protocol (WAP) billing.

What is WAP billing?

Wireless Application Protocol (WAP) billing services are widely used as an alternative payment method for purchasing content from WAP-enabled sites. These services charge purchases directly to the user’s phone bill or credits without having to register for services, key in credentials, or use credit or debit cards.

The detailed picture

This malicious app, which is detected by Trend Micro researchers as AndroidOS_SMSNotfy, targets users in Southeast Asian countries such as Thailand and Malaysia. This app was also spotted targeting Chinese-speaking users.

  • Once users install the malicious ‘Yellow Camera’ app, it asks for permission to access the ‘Notification’ feature.
  • Once users grant access permission, the app downloads a file “[MCC+MNC].log” that contains JavaScript payloads and WAP subscription billing site address.
  • Upon which, a WAP enable billing site is opened via WebView.
  • The JavaScript payload is designed to auto-click Type Allocation Code (TAC) request button and read the SMS verification code from System Notifications.
  • The verification code is then used to make a fraudulent WAP subscription.

“For persistence, the malicious app uses the startForeground API to put the service in a foreground state, where the system considers it to be something the user is actively aware of and thus would not be terminated even if the device is low on memory,” researchers noted.

Worth noting

Researchers who uncovered the malicious ‘Yellow Camera’ app and similar other apps have disclosed their findings to Google. Google has immediately responded by removing the app from the Google Play Store.

Cyware Publisher