Android users should keep their eyes peeled for a curious scam technique discovered on Google Play – one going directly after their money and relying solely on user inattention.

The app seen using the technique, a game uploaded under the name “Pingu Cleans Up”, attempted to trick users into unwittingly signing up for a €5.49 per week subscription using Google Play’s own legitimate payment method. The trick works on the assumption that some users will “click away” any legitimate-looking windows that keep them from running the game itself, without paying much attention to their contents. The primary target of the scam are users with credit card information stored in their Google Play accounts.

Figure 1 – The deceptive game discovered on Google Play

The game was first uploaded to Google Play on February 8, 2018, and was installed between 50,000 and 100,000 times before being taken down after ESET notified Google. Looking at the game’s rating and reviews, it seems that it has appealed to some users regardless of its misleading use of Google Play’s payment method; nevertheless, negative ratings prevail, as seen in Figure 2.

Figure 2 – Mixed app ratings and negative user reviews on Google Play

How does the scam work?

After being launched, the app makes users specify their game character in three steps. In the first two steps, in order to pick the desired attribute, users need to tap “confirm” on a pop-up window appearing in the foreground.  In the third step, users with stored credit card details will see a window similar to the previous two, but with the “confirm” button replaced by a “subscribe” button, as seen in Figure 3.

Clicking on the “subscribe” button results in the victims being charged €5.49 on the card attached to their accounts. The payment is then repeated weekly until the user unsubscribes from the app.

Note: Victims of this particular scam no longer need to do this manually, as the subscriptions have automatically been cancelled with the app’s removal from the Google Play store.

Figure 3 – The three steps attempting to mislead users with stored card details into paying a subscription

Users with no credit card attached to their accounts are shown a different window in the third step – one requesting them to add a payment method to complete the purchase (Figure 4). The need for active participation makes such users much less prone to falling for this type of scam (which relies on the users’ lack of caution in the first place).

Figure 4 – A different third step displayed to users without stored credit card details

 

How to stay safe

In the case of “Pingu Cleans Up”, users might have noticed several red flags even before the sneaky “subscribe” window appeared:

  • Unclickable “Terms of use” in all three steps shown in Figure 3
  • Payment request immediately upon launch, despite the app being listed as free on Google Play
  • Negative rating and reviews on Google Play

To avoid being tricked by scams like this one, always pay attention to unexpected prompts and think twice before confirming any such requests. Before installing an app, make sure to check its ratings and reviews. If you allow your kids to install and play games on your device, you are advised to create a separate account for this purpose without a credit card attached to it.

Last but not least, a reliable mobile security solution will help to protect your Android device from the latest threats.

 

IoCs

Package name Hash Detection name
com.pingu.cleansup 5AAE46B3D0C2D7430C75AB076E748C3CA3025E02 Android/FakeApp.IF