ESET researchers discover fraudulent schemes piggybacking on the popularity of the face-modifying tool FaceApp, using a fake “Pro” version of the application as a lure.
The latest hype around the FaceApp application has attracted scammers who want to make a quick profit. The FaceApp application, which offers various face-modifying filters, is available for both Android and iOS. While the app itself is free, some features, marked as “PRO”, are paid. Recent concerns about FaceApp privacy issues have generated a huge wave of media attention. Scammers have been trying, to various ends, to exploit this wave of interest, using a fake “Pro” – yet free – version of the application as a lure. We have seen two ways the scammers try to make money from the non-existent “Pro” version of FaceApp.
Fake websites
In one of the scams we have seen, attackers have used a fake website that claims to offer the “premium” version of FaceApp for free.
In reality, the scammers trick their victims into clicking through countless offers for installing other paid apps and subscriptions, ads, surveys, and so on. Victims also receive requests from various websites to allow displaying notifications. When enabled, these notifications lead to further fraudulent offers.
During our test, we ended up with the regular, free version of FaceApp that is also available on Google Play. However, instead of using Google Play as the source, the app was downloaded from a popular file-sharing service. This means users could easily end up downloading malware if that was the attackers’ intention.
YouTube videos
The second type of scam includes YouTube videos, again promoting download links for a free “Pro” version of FaceApp. The shortened download links, however, point to apps whose only functionality is to make users install various additional apps from Google Play. While this type of scam is typically used merely to deliver ads, the shortened links could lead to users installing malware in just one click. We have seen this happen in the past, for example with Fortnite used as a lure.
Conclusion
Hypes attract scammers, and the bigger the wave, the higher the risk of falling victim of a scam. Before joining the hype, users should remember to stick to basic security principles. Regardless how exciting the topic is, avoid downloading apps from sources other than official app stores, and examine available information about the app (developer, rating, reviews, etc.). Especially in the Android ecosystem, there are fakes around every popular app or game. As insurance for the case the user falls victim to a scam, having a reputable security app installed on a mobile device can help prevent some negative consequences.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.