Malicious photo-editing apps steal money from users through unwarranted subscriptions

• Pink Camera and Pink Camera 2, the malicious apps with photo-editing functionalities housed a malware to access and obtain personal information from users.
• The malware, known as ‘MobOk’, collected information such as users’ phone numbers that were used to unknowingly sign up users for fake subscriptions.

Two malicious apps on Google Play were found distributing MobOk malware in order to steal money from users through unwarranted subscriptions. The two apps, namely Pink Camera and Pink Camera 2, were advertised as photo-editing apps, while they hid the MobOk malware to perform a number of malicious activities.

Security researcher Igor Golovin of Kaspersky came across these apps on Google Play, which have been downloaded over 10,000 times.

How does it work?

• In their blog, Golovin mentions that the apps leverage multiple Android device permissions which include Wi-Fi controls and notification access.
• Once users grant the permissions, the apps collect personal information in the background when the app is in use. The information is then sent to a server at ps.okyesmobi[.]com.
• A series of site redirection are used which take unknowingly users to a ‘subscription’ page. Furthermore, the Wi-Fi is turned off and mobile data is activated.
• Then, a malicious Javascript in the app resources performs a number of actions to automatically ‘subscribe’, thereby resulting in fraudulent payments.

Worth noting

Golovin suggested that the official platform, Google Play, allowed the app developers to distribute their malicious apps to as many users as possible. “Analysis of pages loaded by the malware revealed the targets to be users from different countries, while its distribution through an official app store helped the authors to spread it far and wide,” wrote the researcher.

As of now, both apps have been removed from Google Play.