MobOk Mobile Malware

MobOk is an android malware that exists in legitimate markets such as Google play store, collects information in the background about the victim's device including phone number and network operator and sends them to the attacker. This malware then subscribes the victim to premium mobile content providers in Russia, England and Thailand without the user's knowledge or consent. this malware is also capable of grabbing SMS verification codes in two factor authentication services.

This malware comes in two legitimate Google play store apps named "Pink Camera (package name: com.paint.oil)" and "Pink Camera 2 (package name: com.psbo.forand)" that are photo editing apps and when installed they request access to Wi-Fi controls and when run, they request access to notifications, that is unusual for these types of programs. After installation, this malware gathers information in background and sends them to the attacker's command and control server.

In response, the software receives a set of links (depending on the country and network operator) to some subscription pages and loads them in a window unseen by the victim user. The malware then performs the actions required to activate the subscription for the victim to desired premium services:

  • It substitutes the user's phone number (obtained while gathering information) into the relevant field.
  • If the subscription page is CAPTCHA-protected, the app uses the image recognition service "chaojiying" and automatically inserts the result into the relevant field on the page.
  • If an SMS code is required (in 2 FA services), the app gets it through access to notifications.
  • It clicks the "subscribe" button.
Symptoms of infection

increase in mobile phone bill costs

Methods of Clearing Mobile Infected

for removing the malware, we can easily uninstall applications like "Pink Camera" and "Pink Camera 2" that contain the malware from the applications menu.

Methods of Infection Prevention

The following recommendations can play a significant role in preventing the mobile phones from being infected by the above-mentioned malwares.

  • Consider permissions required from the application to be installed
    During installation of android applications, they request some permissions to be accepted by the user. It is very important to prevent installing if it requires more permissions than needed; considering the functionality it provides (based on the developer's explanations about the application).
  • Using Content-blocking options in browsers
    Enable or disable some options for websites like disabling JavaScript and Notifications.
  • Install anti-virus software and update it periodically
    in recent years, the widespread prevalence of malware and viruses on android mobile devices caused many problems for smart phone users, so installing an anti-virus program is one of the essentials to prevent the android devices to be infected and malwares to be spread.

also notice that always use a trusted and reliable anti-virus program and update it periodically to detect newly released malwares as soon as possible.