A Filipino smartphone user on Wednesday, April 28, detailed on a Facebook post how a scam made use of his hacked Google credentials to steal P15,400 from him through a Google Play Subscription.

Raymon Dullana found out on the morning of Tuesday, April 27, that P15,400 had been missing from his UnionBank online account. The money had been transferred under the transaction code VISA*GOOGLE, a  transaction that he says he never made. 

Dullana checked his Gmail to check Google transactions. Normally, Google sends transaction records for Google services through email. He wasn’t able to find any. He later discovered that he had indeed been hacked, seeing a Galaxy S10 5G log-in on Saturday, April 24, which he didn’t make. 

From that date, the hackers took over his account, and turned off 2-factor authentication; deleted the email alert about the hacker log-in, and archived the email alert about 2-factor authentication being turned off; and finally, set up a filter that automatically redirected Google Play transaction records from the inbox to an archived folder. Dullana never saw the records being sent to him.

Photo from Raymon Dullana/Facebook

Dullana’s Google account, without his knowledge, was made to subscribe to two apps called Zombie Afterpaty (note the misspelling) and Crazy Shooter both published on April 16, 2021 by a publisher called BSS Mode. Dullana was charged P15,400 for the subscription to the former, while the latter was about to charge him P18,000 but he was able to cancel it in time. 

The descriptions for the game are very sparse: “shoot enemies and survive,” “survive in zombie world”. On the in-app purchases row, the price range “P15,400 – P18,000 per item” is listed for Zombie Afterpaty and “P14,100 – P18,000 per item” for Crazy Shooter.

These kinds of apps are typically called fleeceware – apps that lure in users with a free trial hiding an unusually exorbitant subscription rate that takes effect after the trial. Cybersecurity firm Avaaz in March 2021 reported finding 204 of these with over a billion downloads, netting the scammers US$400 million. 

The BSS Mode apps in question though are different in that they were used as instruments to obtain money through hacked Google credentials. The hack took advantage of the knowledge that bank accounts can be connected to the Google Play Store account. More typical, fleeceware apps are downloaded by users, and perform their function with the hopes of eventually trapping a user.

In light of the BSS Mode scam, some users suggest using a dedicated e-payment account that will only be funded during the time of purchasing instead of having a debit or credit card connected to an online account or e-commerce site. – Rappler.com

Have you been a victim in an online scam? Email the editor at angelo.gonzales@rappler.com.