This morning I found an email in my inbox that looked like this:
The first impression was like “What?!”. It’s true that recently Google Play Developer Policies were modified, and I heard stories from developers who had their accounts terminated because of violations of content policy. So in the current context this email seemed like true.
However, after a closer examination I noticed a few suspect things.
1. Firstly, the email address firstname.lastname@example.org was too suspicious to believe that it is from Google.
2. Secondly, the email was sent not only to me, but to a list of people.
3. All the links appearing in the email pointed to the same and one url.
4. And lastly, the real urls were masked behind goo.gl URL Shortener, which again I found it suspicious.
So I opened one of the links in the email in a private window, and the following page was displayed.
The google Sign in box, the text that appears in the page, and the color scheme, makes it appear as something known for an Android developer.
However if you take a closer look at the page url, you may notice that the page is not hosted on Google servers, but on some address, savegaselectricity(dot)com. Also, it has a parameter named “continue” with the real google play page as value. Probably after successfully logging, to redirect you to real Google Play Developer Console page, so you won’t see notice anything strange.
The technique used by the attacker in fact is not new, it is one variation of impersonation attacks, where an attacker impersonates a legitimate site, tricking the users to log in and stealing their passwords.
So, if you will receive such an email, delete it, your google play account most probably is ok. If however you already used the fake page to login, change your password immediately.
As a rule of thumb, always be skeptical.
Do not click on links, download files or open attachments in emails from unknown senders. If you get one of these emails and are worried that there may be a real problem with your account, open up a new browser window, go directly to your Developer Console site and sign in there.