Phishing attacks targeting unsuspecting users who are not checking URLs or waiting for fake popups are nothing new. Now a scam has appeared on the Play Store that uses Google's own verification pop-up to save money from careless users. Although the app "Pingu Cleans Up" below can no longer be used, the type of fraud it uses could potentially be used by any app without Google Play Protect having to do extra work. The app opens two dummy confirmation windows, which are completely secure, and then a third, which is to be flipped insane, probably by an angry user, who only wants to come into play. However, this third popup is a weekly payment confirmation. Affected users should know that Google has already canceled all payments, so no further action is required. If you've made a payment and unlocked the app, you can still use it if you really want to, but for obvious reasons, you should not expect updates. If the game contains more paywall, you will not be able to get past it.
The scam uses an interesting concept in human psychology. Known as operant conditioning, it has been used to some degree in the famous Flappy Bird; The users were essentially prepared that the tapping pattern did not lead to a new game being started. As a result, ads were inadvertently clicked and the app's ad payments for the developer were higher-ranking. Here, users are soon conditioned to type through the confirmation dialogs, but the third one triggers a payment subscription. The inherent confidence that comes with using Google's own popup supports the process. If you've set a password for payments or no payment information is set up, this type of fraud is much less likely. This particular scam fits into a larger subtype that is commonly used for phishing attacks and is known as social engineering.
At the moment, Google does not have anything to say about this type of attack. It is able to reach unsuspecting users because it does not violate any rules on the technical side, although attempting to abuse or cheat users violates the Play Store Terms of Service. The moral of this story is one that can be heard on the internet; Keep your wits about you and always look for details no matter how trustworthy something looks.