{
	"id": "cfa82663-992d-4e4c-acb0-8f684353f3ad",
	"created_at": "2026-04-06T00:09:27.620318Z",
	"updated_at": "2026-04-10T03:30:32.780406Z",
	"deleted_at": null,
	"sha1_hash": "331d0af7bebdf39b8d9dcb82fe9e51a91680b88e",
	"title": "Adware Apps Seen With Optimized Evasion Features",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68113,
	"plain_text": "Adware Apps Seen With Optimized Evasion Features\r\nBy Song Wang ( words)\r\nPublished: 2019-10-18 · Archived: 2026-04-05 20:36:31 UTC\r\nAt the start of the year, Google updated its permission requests in Android applications, and in particular,\r\nrestricted access to SMS and CALL Log permissions. Google also added requirements for non-default\r\napplications (or those that don’t provide critical core features), allowing them to prompt and ask users for\r\npermission to access the device’s data.\r\nThis restriction is meant to prevent fake or malicious apps from abusing these features to deliver malware, steal\r\npersonally identifiable information, or perpetrate fraud. But as last year’s mobile threat landscapeopen on a new\r\ntab showed, fraudsters and cybercriminals will always try to follow the money, whether fine-tuning their\r\nstrategies, finding ways to bypass restrictions, or, in a recent case we’ve seen, revert to old but tried-and-tested\r\ntechniques.\r\nThis is recently exemplified by an app we found on Google Play named “Yellow Camera” (detected by Trend\r\nMicro as AndroidOS_SMSNotfy), which poses as a camera and photo beautification or editing app — an\r\nincreasingly common trick we’ve observed, what with the various information-stealing as well as malware- or\r\nadware-ridden apps we’ve uncovered so far this year. While the functions work as advertised, it is embedded with\r\na routine that reads SMS verification codes from the System Notifications, and, in turn, activate a Wireless\r\nApplication Protocol (WAP) billing. We disclosed our findings to Google, and the app, along with similar ones we\r\nsaw, are no longer in the Play store.\r\nBased on the name of the file downloaded by the app, it appears it is mostly targeting users in Southeast Asian\r\ncountries (e.g., Thailand, Malaysia). However, we’ve also seen the app targeting Chinese-speaking users, so it\r\nwon’t be a surprise if the app to gradually shift or expand their targets. While Google already removed the app\r\nfrom the Play store, we found that the fraudsters uploaded similar apps to the Play Store, as shown in Figure 5.\r\nWAP-billing services are widely used as an alternative payment method for users to buy content from WAP-enabled sites. These services charge purchases directly to the user’s phone bill or credits without having to register\r\nfor services, key in credentials, or use credit or debit cards. Unfortunately, fraudsters appear to have also taken\r\nadvantage of this convenience. Based on the app’s reviews on the Play Store (Figure 1), some of the users already\r\nlost phone credits to the app.\r\nintelFigure 1. Screenshot showing reviews about the app; one user noted how she lost mobile credits after\r\ninstalling the app intel Figure 2. Infection chain of the malicious app\r\nYellow Camera’s Infection Chain\r\nHere are additional details of Yellow Camera’s infection chain, as visualized in Figure 2:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/\r\nPage 1 of 3\n\n[MCC+MNC].log, which contains the WAP billing site address and JS payloads, is downloaded from\r\nhxxp://new-bucket-3ee91e7f[-]yellowcamera[.]s3[-]ap[-]southeast[-]1[.]amazonaws[.]com. MCC is the\r\nSIM provider’s mobile country code; MNC is the mobile network code.\r\nThe WAP billing site runs in the background; the site accessed/displayed is telco-specific, based on the\r\n[MCC+MNC].log.\r\nThe JS payloads auto-clicks Type Allocation Code (TAC) requests — codes used to uniquely identify\r\nwireless devices.\r\nFor persistence, the malicious app uses the startForeground API to put the service in a foreground state, where the\r\nsystem considers it to be something the user is actively aware of and thus would not be terminated even if the\r\ndevice is low on memory.\r\nWe also found other apps (Figure 5), posing as photo filtering or beautifying apps, bearing the same routine of\r\nfraudulently subscribing the device to a WAP service. While they do share similar codes, we can’t fully confirm if\r\nthese apps came from the same operators, or the group behind the Yellow Camera app.\r\nintelFigure 3. Code snippet showing the file being downloaded by the app\r\nintelFigure 4. Snapshot of WAP-billing site where TAC is requested and subscription is confirmed\r\nintelFigure 5. Screenshots of apps with malicious routines similar to those of the Yellow Camera app\r\nBest practices and Trend Micro solutions\r\nThe fraudsters’ technique may appear undistinguished, as WAP billing scams and fraudulent subscriptionservices\r\nto premium services aren’t new. However, this can be seen as a different approach or response to security controls\r\ndesigned to mitigate threats or deter abuse of device functionalities, particularly the Notifications feature. Previous\r\nscams, for example, relied on SMS to fetch verification codes, and would often require the device to switch\r\nconnections between Wi-Fi and mobile data. Given how it affected the users who installed the apps, the malicious\r\napp showed how it can conveniently steal money by abusing the device’s other functionalities.\r\nAlso of note is how scammers and cybercriminals adapt their tactics — or the way they ride social networking\r\ntrends — in their social engineering lures, as we’ve seen increased incidence in using photo editing or\r\nbeautification apps as decoys to entice unwitting users into downloading fraudulent or malicious apps.\r\nFor the end-users’ part, however, it pays to read an app’s reviews before installing them, as they can help identify\r\napps with fraudulent or suspicious behaviors. Users should also adopt best practicesopen on a new tab for securing\r\nmobile devicesopen on a new tab, especially against socially engineered threats.\r\nUsers can also benefit from security solutions that can thwart stealthy adware, such as Trend Micro™ Mobile\r\nSecurity for Android™products (also available on Google Play), which blocks malicious apps. End users can also\r\nbenefit from its multilayered security capabilities that secure the device owner’s data and privacy and that\r\nsafeguard them from ransomware, fraudulent websites, and identity theft.\r\nFor organizations, the Trend Micro™ Mobile Security for Enterpriseproducts suite provides device, compliance\r\nand application management, data protection, and configuration provisioning, as well as protects devices from\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/\r\nPage 2 of 3\n\nattacks that exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and\r\nfraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats\r\nusing leading sandbox and machine learningopen on a new tab technologies to protect users against malware,\r\nzero-day and known exploits, privacy leaks, and application vulnerability.\r\nThe indicators of compromise (IoCs) are in this appendixopen on a new tab.\r\nMITRE ATT\u0026CK techniques\r\nTactic Technique ID Description\r\nInitial Access\r\nDeliver Malicious App via\r\nAuthorized App Store\r\nT1475\r\nUsed to upload malware to Google Play\r\nstore\r\nPersistence App Auto-Start at Device Boot T1402\r\nUsed to listen for the\r\nBOOT_COMPLETED broadcast\r\nImpact Premium SMS Toll Fraud T1448\r\nUsed to autofill content on WAP billing\r\npage by embedded JS\r\nExfiltration Alternate Network Mediums T1438\r\nUsed to connect cellular networks rather\r\nthan Wi-Fi\r\nCommand and\r\nControl\r\nStandard Application Layer\r\nProtocol\r\nT1437\r\nUsed to communicate with remote C\u0026C\r\nserver\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-c\r\node-to-trigger-wireless-application-protocol-wap-carrier-billing/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/"
	],
	"report_names": [
		"fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434167,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/331d0af7bebdf39b8d9dcb82fe9e51a91680b88e.pdf",
		"text": "https://archive.orkl.eu/331d0af7bebdf39b8d9dcb82fe9e51a91680b88e.txt",
		"img": "https://archive.orkl.eu/331d0af7bebdf39b8d9dcb82fe9e51a91680b88e.jpg"
	}
}