Traditional advice is to use the official app stores to avoid mobile malware – but a Spanish security firm has discovered four apps available via Google Play that scam their users into covertly subscribing to premium SMS services and stealing money through their phone bills.
Luis Corrons, technical Director of Panda Security's PandaLabs research arm, blogged about the discovery yesterday. His team had found four particular apps (on dieting, baking, exercise and hairstyling) that all use a similar process to scam their users. The basic methodology is to trick the user into accepting terms and conditions well beyond those expected.
Using the diet app as an example, Corrons shows that users are presented with an invitation to view one of the diets. Clicking 'Enter' pops up a small window that asks the user to accept the app's terms of service – but those terms are separated from the pop-up, greyed out, and in tiny, unreadable text. They actually grant the app permission to subscribe the device to an external service.
Of course, it's not as simple as that. Firstly, the app 'steals' the user's phone number from WhatsApp (a popular app that requires the user's number and is statistically quite likely to be installed). It then covertly subscribes the user to a premium SMS service, waits for the confirmatory request from the service, intercepts it and responds in the affirmative – all without any notification to the user. The user eventually gets presented with a bill 'hidden' in the mobile phone charge for a service he didn't know he was using.
This type of scam is a growing problem. "I know that lots of people only ever give their bill a cursory glance or don’t even bother looking if it stays under a certain amount. I manage all the bills in our house after I discovered my missus had being paying insurance and tech support on a phone she hadn’t used for 5 years," a PandaLabs spokesperson told Infosecurity.
"Whether the cyber criminals choose to use the app as often as possible to rack-up their income knowing they will get caught quickly or the under-the-radar method [small amounts from a lot of victims] where they will try to go unnoticed depends the criminal’s choice," Corrons told Infosecurity.
He did some quick arithmetic on a projected volume of anything up to 1.2 million downloads of the four apps. "They charge a lot of money for premium SMS services, if we make a conservative estimate of $20 charged by terminal, we are talking of a huge scam that could be somewhere between 6 and 24 million dollars!" And this, of course, is just for the four apps that he found.
These particular apps were found in the Spanish Google Play. They contravene Google's new terms and conditions for Play, which insist on a single purpose and clear terms. How Google intends to enforce those terms remains to be seen; but Corrons confirmed to Infosecurity that these four have now been removed from Play.