Phishing attacks that prey on unsuspecting users who don’t check URLs or fall for fake popups are nothing new, but now a scam that uses Google’s own payment confirmation popup to get money from unwary users has appeared in the Play Store. Though the app seen below, Pingu Cleans Up, is gone now, the type of scam it used could potentially be employed by any app without having to do any extra work to fool Google Play Protect. The app pops up two dummy confirmation windows that are completely safe, then a third that’s meant to be clicked through absentmindedly, likely by an exasperated user who just wants to get into the game. That third popup, however, is a weekly payment confirmation. Affected users should know that Google has already canceled all payments, so no further action needs to be taken. If you made a payment and unlocked the app, it is safe to continue using if you really want to, but for obvious reasons, you shouldn’t expect any updates. If the game contains any more paywalls further in, you also won’t be able to get past those.
The scam makes use of an interesting concept in human psychology. Known as operant conditioning, it was used to an extent in the famous Flappy Bird; users essentially were conditioned for the tap pattern to go from failing to booting up a new game, leading to clicking on ads by accident and generating the app’s creator higher-tier ad payments. Here, users are conditioned in short order to tap through the confirmation dialogs, but the third one triggers a payment subscription. The inherent trust inspired by using Google’s own popup helps the process along. If you have a password set up for payments or don’t have any payment information set up, this type of scam is far less likely to net you. This particular scam fits into a larger sub-type normally used for phishing attacks, known as social engineering.
As of this writing, Google has yet to say anything about this sort of attack. It is able to reach unsuspecting users because it does not break any rules, on the technical side, though to be certain, attempting to take advantage of or defraud users does violate the Play Store’s terms of service. The moral of this story is one that’s common to hear on the internet; keep your wits about you, and always pay attention to detail, no matter how trustworthy something seems.