Cybercriminals often depend upon their victims to simply not pay attention to their online environment, whether it be falling for a phishing email or not being aware of what they are clicking when playing a game, and this is the case with a cybercriminal intent on duping mobile game players.
ESET came across a mobile game called Pingu Cleans Up that the security firm found in Google's official app store and which used Google's own payment method as the tool to take money from its victims. The game was initially uploaded to Google Play on February 8 and has been downloaded between 50,000 and 100,000 times, ESET reported.
What the malicious actor wants is for the victim's attention to be totally focused on getting the game up and running and not on the content inside the windows that pop up.
“The trick works on the assumption that some users will “click away” any legitimate-looking windows that keep them from running the game itself, without paying much attention to their contents. The primary target of the scam are users with credit card information stored in their Google Play accounts,” ESET wrote.
What ends up happening is the set up buttons when clicked result int the user signing up for a $7.70 per week subscription which goes to the cybercriminal.
Getting to this point requires a little bit of social engineering by the perpetrator and gullibility by the user. After the app is downloaded and launched it makes the user choose a game character and its attributes. To authorize each of these choices a confirm window pops up and must be clicked.
The third such pop up is nefarious. While it looks the same as the others the confirm buttons, it instead reads subscribe and when clicks uses the payment card information stored with Google to set up the previously discussed subscription. This payment is made weekly until the user unsubscribes.
Google has since been notified, removed the game and cancelled all subscriptions.