This payment model was originally developed by mobile network operators to make it easier for customers to subscribe to premium services, but it is now sometimes abused by cyber attackers.

Kaspersky experts have discovered the money-stealing malware MobOk hiding within seemingly legitimate photo editing apps available on the Google Play store. At the time of detection, the apps, titled ‘Pink Camera’ and ‘Pink Camera 2’ had been installed around 10,000 times. The apps were designed to steal personal information from victims and use that to sign them up to paid subscription services. Victims only discovered they’d been hit when they saw unexpected costs on their mobile services bill. The apps have now removed from the Google Play store and are no longer available.

The MobOk malware is a backdoor, one of the most dangerous types of malware, because it offers the attacker almost complete control over the infected device. Despite the fact that content uploaded to Google Play is thoroughly filtered, this is not the first time that threats have made their way onto users’ devices. In many cases, backdoors are covered by a semi-functioning app, which appears at first glance to be a poor, but innocent attempt to create a legitimate app. For this reason, the Pink Camera apps didn’t arouse suspicion, because they included genuine photo editing functionality and had been downloaded from the trusted Google Play store.

However, as soon as user’s started to edit their pictures using the Pink Camera apps, the apps requested access to notifications and this initiated the malicious activity in the background. The aim of this activity was to subscribe the user to paid mobile subscription services. These usually look like web-pages offering a service in exchange for a daily payment that is charged to the mobile phone bill. This payment model was originally developed by mobile network operators to make it easier for customers to subscribe to premium services, but it is now sometimes abused by cyber attackers.

Once a victim was infected, the MobOk malware would collect device information such as the associated phone number, in order to exploit this information in later stages of the attack. The attackers then sent details of web-pages with paid subscription services to the infected device and the malware would open them, acting like a secret background browser. Using the phone number extracted earlier, the malware would insert it into the “subscribe” field and confirm the purchase. Since it had full control over the device and was able to check notifications, the malware would enter the SMS confirmation code when it came in – all without alerting the user. The victim would start to incur costs and continue to do so until they spotted the payments in their phone bill and unsubscribed to each service.

To avoid falling victim to malicious apps, Kaspersky researchers advice users to, remember that even a trustworthy source, such as an official app store, can contain dangerous apps. Be vigilant and always check application permissions to see everything that installed apps are allowed to do. Check the app ratings and reviews on official stores, such as Google Play or the App Store. Malicious apps will sometimes receive low ratings and users will post comments that warn others about the risk of malware if you are about to install such an app – pay extra attention to its permission requests. Install system and application updates as soon as they are available — they patch vulnerabilities and keep devices protected.