Yellow Camera: A Malicious Google Play Store App

Love editing your photos? More than two-dozen android photo-editing apps in the Google Play Store are found to contain malware- redirecting you to the phishing sites. If you have such apps installed, it’s time to recheck and review your apps. In the following article, you will get to learn how the apps are infecting your device and what the situation is.

42 malicious apps affected 8 million android users 2019 10 25


To enhance security, Google earlier this year updated its permission requests in the android apps and restricted access to SMS and CALL Log permissions. Google also added requirements for non-default applications, allowing them to prompt and ask users for permission to access the device’s data.

The Problem:

The restriction is meant to prevent fake or malicious apps from abusing these features to deliver malware, steal personally identifiable information, and also perpetrate fraud. According to the researchers, a vulnerability called AndroidOS_SMSNotify in Yellow Camera App on Google Play Store was discovered. The vulnerability is a camera and photo beautification app, a common trick used by the hackers.

The app named ‘Yellow Camera’ app on Google Play that is capable of reading SMS verification codes from System Notifications.

The malicious vulnerability is implanted within the routine SMS verification codes from the System notifications. It activates a Wireless Application Protocol (WAP) billing. Yellow Camera App is quite popular in the South Asian countries. The app targets users from these regions, and it is continuously expanding their target areas. A similar fraud app was detected by the researchers on the iOS App Store.

WAP– billing services:

There is a rise in mobile hacks that steal money from Android users through Wireless Application Protocol (WAP) billing. Mobile network operators have widely used WAP billing for paid services and subscriptions for many users. Cybercrooks are abusing these legitimate technologies by developing malicious vulnerabilities that siphon money from the victim’s account.

Users tend to use WAP-billing services as an alternative payment method to buy content from WAP-enabled sites. Purchases done using the services are charged directly to their phone bills or credits as there is no need to register for services or enter credentials or use credit or debit cards. Victims have lost their phone credits to the app on the Play Store.

The main aim of this malicious app is to activate a WAP billing by reading the system notification. WAP-billing services are widely used as an alternative payment method for users to buy content from WAP sites.

Using Photo-editing, filtering, beautifying apps? Beware!!

instagram hashtags featured 1024

How does Yellow Camera Infection work:

  1. The fraudsters download [MCC+MNC].log, which contains the WAP billing site address and JS payloads, from a malicious hypertext transfer. (Here, MCC: SIM provider’s mobile country code, MNC: Mobile network code.
  2. The WAP billing sites run in the background.
  3. The site accessed/displayed is a telco-specific based on the [MCC+MNC].log.
  4. The JS payloads auto-clicks Type Allocation Code (TAC) requests – codes used to identify wireless devices uniquely.
Following are the steps followed for causing the infection:
  1. Ask for permission to access the Notifications feature.
  2. Download a file containing JS Payloads and WAP subscription addresses.
  3. Open a WAP-enabled or billing site via WebView.
  4. JS Payloads auto-clicks TAC request button.
  5. Read the verification code sent via SMS through System Notifications.
  6. JS payloads fills the code to confirm fraudulent subscription.

The malicious app uses startforeground API for persistence that puts the service in the foreground state. The system assumes the user is actively aware of the activity and does not terminate even if the device is low in memory.

Photo editing apps pose photo-filtering or beautifying apps, bearing the same routine of vulnerability. Other apps, similar to the Yellow Camera app, share identical codes.

How to stay safe from such malicious apps?

  1. Do read App’s reviews before installing them, as they can help to identify apps with malicious or suspicious behaviors.
  2. Ratings are also crucial for that matter.
  3. Adopt securing practices for your handsets, especially against the socially engineered threats.
  4. Use of security solutions like stealthy ads. Download mobile security app for Android on Google Play, which blocks such malicious apps.

Are you interested in knowing about more day-to-day cyber threats? Then you are at the right place at the right time. This was all about the malicious Yellow Camera app; it brings me back to a recent post, Hack the Proxy. Hack the Proxy was the first bug bounty program focusing on finding vulnerabilities for a government-owned organization (Pentagone, U.S) publicly accessible proxy servers. To know more, visit here!!!

Stay Updated. Stay Protected!


- Advertisement -

An Architect by profession & practice, Pranita is a keen observer and specialises in content, visualisation, and presentation. Cyber attacks & Architecture Technology in the far more technologically-advanced world made her realise that there is a lack of necessary awareness among people. Hence, keeping you all updated and protected by all means with subjects from Architecture Technology to Security Awareness.Currently working as a Head of Content, content writer & creator at BLARROW.TECH

- Advertisement -

Latest articles

Related articles