Traditional advice is to use the official app stores to
avoid mobile malware –
but a Spanish security
firm has discovered four apps available via Google Play that scam their users into covertly
subscribing to premium SMS services and stealing money through their phone
bills.
Luis Corrons, technical Director of Panda Security's
PandaLabs research arm, blogged about the discovery yesterday. His team had
found four particular apps (on dieting, baking, exercise and hairstyling) that
all use a similar process to scam their users. The basic methodology is to
trick the user into accepting terms and conditions well beyond those expected.
Using the diet app as an example, Corrons shows that users
are presented with an invitation to view one of the diets. Clicking 'Enter'
pops up a small window that asks the user to accept the app's terms of service
– but those terms are separated from the pop-up, greyed out, and in tiny,
unreadable text. They actually grant the app permission to subscribe the device
to an external
service.
Of course, it's not as simple as that. Firstly, the app
'steals' the user's phone number from WhatsApp (a popular app that requires the
user's number and is statistically quite likely to be installed). It then
covertly subscribes the user to a premium SMS service, waits for the
confirmatory request from the service, intercepts
it and responds in the affirmative – all without any notification to the user.
The user eventually gets presented with a bill 'hidden' in the mobile phone
charge for a service he didn't know he was using.
This type of scam is a growing problem.
"I know that lots of people only ever give their bill a cursory glance or
don’t even bother looking if it stays under a certain amount. I manage all the
bills in our house after I discovered my missus had being paying insurance and tech
support on a phone she hadn’t used for 5 years," a PandaLabs
spokesperson told Infosecurity.
"Whether the cyber criminals choose to use the app as
often as possible to rack-up their income knowing they will get caught quickly
or the under-the-radar method [small amounts from a lot of victims] where they
will try to go unnoticed depends the criminal’s choice," Corrons told
Infosecurity.
He did some quick arithmetic on a projected volume of
anything up to 1.2 million downloads of the four apps. "They charge a lot
of money for premium SMS services, if we
make a conservative estimate of $20 charged by terminal, we are talking of a
huge scam that could be somewhere between 6 and 24 million dollars!" And
this, of course, is just for the four apps that he found.
These particular apps were found in the Spanish Google Play.
They contravene Google's new terms
and conditions for Play, which insist on a single purpose and clear terms.
How Google intends to enforce those terms remains to be seen; but Corrons
confirmed to Infosecurity
that these four have now been removed from Play.
