Android Devices No Longer Safe -Hackers Launching MobOk Malware Via Fake Photo Editing Application in Play Store

Researchers discovered a fake photo editing applications which are being used by cyber criminals to launch MobOk Malware that takes complete control of Victims Android device.

Attackers are targeting Android users through Authenticated Google play store app and hiding this malware to steal money by letting users subscribe to premium services in application.

Two photo editor apps were uncovered ‘Pink Camera’ and ‘Pink Camera 2’  which has been installed nearly 10,000 times.

These apps were uploaded in the Google play store with the intention to steal personal data from users Android device and use that to sign them up to paid subscription services in the application.

Investigators described this MobOk malware as a powerful backdoor since it has sophisticated capabilities to take almost complete control over the infected Android device.

Developers of this Pink Camera apps added evasion techniques to hide suspicious activities and avoid detection of this malware. The apps included a genuine photo editing functionality, and the users completely believe it since the app downloaded from the Google Play Store.

Once the app is installed into the victims mobile, it requests to grant permission for the notification from the user and perform malicious activities in the background.

The primary motivation of this apps has subscribed the user to paid mobile subscription services.

Infection Process:

After the complete infection, MobOk malware starts collecting the device information, including phone number and the attackers send the webpage for the premium subscription, which requires users to pay for the service.

Meanwhile, The malware will open a secret browser in the background, and it uses the victim’s phone number that was already collected and the Malware would insert it into the “subscribe” field and confirm the purchase.

MobOk Malware already had complete control of the victims mobile, it grabs the SMS verification code notification and enters it on behalf of the user and perform malicious activities.

By look and working wise, both apps are very ordinary, but the malicious activities start when it is seeking permission for various controls such as to request access to Wi-Fi controls which is entirely unusual for this apps.

“While users upload the phone into the app to edit the app collects information in the background about the device and sends it to the server ps.okyesmobi[.]com

Attack Indicators:

SHA256

  • 7F5C5A5F57650A44C10948926E107BA9E69B98D1CD1AD47AF0696B6CCCC08D13
  • E706EB74BAD44D2AF4DAA0C07E4D4FD8FFC2FC165B50ED34C7A25565E310C33B
  • 796A72004FAE62C43B1F02AA1ED48139DA7975B0BB416708BA8271573C462E79
  • C5CA6AA73FDCB523B5E63B52197F134F229792046CBAC525D46985AD72880395
  • B9038DC32DE0EA3619631B54585C247ECFD304B72532E193DED722084C4A7D1C
  • D4406DEE2C0E3E38A851CEA6FD5C4283E98497A894CA14A58B27D33A89B5ED5F
  • 59D64FBFF1E5A9AC1F8E29660ED9A76E5546CA07C2FF99FE56242FA43B5ABEC3
  • C5B6146D7C126774E5BB299E732F10655139056B72C28AA7AD478BD876D0537E

Contact Us
CRAW SECURITY
1st Floor, Plot no. 4, Lane no. 2,Kehar Singh Estate,Westend Marg,Behind Saket Metro Station, New Delhi – 110030
Call Us : 011-40394315 | +91-9650202445 | +91-9650677445
Mails Us : training@craw.in
Visit Us : www.crawsecurity.com | www.craw.in

Leave a Reply

Your email address will not be published. Required fields are marked *