#1282336: Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing

Description: At the start of the year, Google updated its permission requests in Android applications, and in particular, restricted access to SMS and CALL Log permissions. Google also added requirements for non-default applications (or those that don’t provide critical core features), allowing them to prompt and ask users for permission to access the device’s data.

This restriction is meant to prevent fake or malicious apps from abusing these features to deliver malware, steal personally identifiable information, or perpetrate fraud. But as last year’s mobile threat landscape showed, fraudsters and cybercriminals will always try to follow the money, whether fine-tuning their strategies, finding ways to bypass restrictions, or, in a recent case we’ve seen, revert to old but tried-and-tested techniques.

This is recently exemplified by an app we found on Google Play named “Yellow Camera” (detected by Trend Micro as AndroidOS_SMSNotfy), which poses as a camera and photo beautification or editing app — an increasingly common trick we’ve observed, what with the various information-stealing as well as malware- or adware-ridden apps we’ve uncovered so far this year. While the functions work as advertised, it is embedded with a routine that reads SMS verification codes from the System Notifications, and, in turn, activate a Wireless Application Protocol (WAP) billing. We disclosed our findings to Google, and the app, along with similar ones we saw, are no longer in the Play store.

Based on the name of the file downloaded by the app, it appears it is mostly targeting users in Southeast Asian countries (e.g., Thailand, Malaysia). However, we’ve also seen the app targeting Chinese-speaking users, so it won’t be a surprise if the app to gradually shift or expand their targets. While Google already removed the app from the Play store, we found that the fraudsters uploaded similar apps to the iOS App Store, as shown in Figure 5.

WAP-billing services are widely used as an alternative payment method for users to buy content from WAP-enabled sites. These services charge purchases directly to the user’s phone bill or credits without having to register for services, key in credentials, or use credit or debit cards. Unfortunately, fraudsters appear to have also taken advantage of this convenience. Based on the app’s reviews on the Play Store (Figure 1), some of the users already lost phone credits to the app.

Yellow Camera’s Infection Chain
Here are additional details of Yellow Camera’s infection chain, as visualized in Figure 2:

[MCC+MNC].log, which contains the WAP billing site address and JS payloads, is downloaded from hxxp://new-bucket-3ee91e7f[-]yellowcamera[.]s3[-]ap[-]southeast[-]1[.]amazonaws[.]com. MCC is the SIM provider’s mobile country code; MNC is the mobile network code.
The WAP billing site runs in the background; the site accessed/displayed is telco-specific, based on the [MCC+MNC].log.
The JS payloads auto-clicks Type Allocation Code (TAC) requests — codes used to uniquely identify wireless devices.
For persistence, the malicious app uses the startForeground API to put the service in a foreground state, where the system considers it to be something the user is actively aware of and thus would not be terminated even if the device is low on memory.

We also found other apps (Figure 5), posing as photo filtering or beautifying apps, bearing the same routine of fraudulently subscribing the device to a WAP service. While they do share similar codes, we can’t fully confirm if these apps came from the same operators, or the group behind the Yellow Camera app.

Best practices and Trend Micro solutions
The fraudsters’ technique may appear undistinguished, as WAP billing scams and fraudulent subscription to premium services aren’t new. However, this can be seen as a different approach or response to security controls designed to mitigate threats or deter abuse of device functionalities, particularly the Notifications feature. Previous scams, for example, relied on SMS to fetch verification codes, and would often require the device to switch connections between Wi-Fi and mobile data. Given how it affected the users who installed the apps, the malicious app showed how it can conveniently steal money by abusing the device’s other functionalities.

Also of note is how scammers and cybercriminals adapt their tactics — or the way they ride social networking trends — in their social engineering lures, as we’ve seen increased incidence in using photo editing or beautification apps as decoys to entice unwitting users into downloading fraudulent or malicious apps.

For the end users’ part, however, it pays to read an app’s reviews before installing them, as they can help identify apps with fraudulent or suspicious behaviors. Users should also adopt best practices for securing mobile devices, especially against socially engineered threats.
More info: https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/

Date added Oct. 19, 2019, 12:07 p.m.
Source TrendMicro
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • Android Malware - New Reports in
  • Google Play / Play Store / PlayStore
  • Mobile Apps - Android New Reports in
  • Mobile Malware and Threats - Various
  • Mobile Malware - New Reports in