SMS Fraud is Not Unique to Android
Google is pulling a number of fraudulent apps that dupe users out of money.
By Tony Bradley
December 14, 2011 — PC World — Google is yanking a number of apps from the Android Market after discovering that they are fraudulent. Although such apps are more likely to be found with Android than on rival platforms, the concept of fraud is an equal opportunity threat that extends far beyond Android mobile devices.
First, a little background on the action in the Android Market. Google has reportedly removed 22 apps from the Android Market that were identified as fraudulent. The apps in question pose as legitimate, popular apps like Angry Birds, or the Opera Mobile browser, but lure users into sending costly premium SMS text messages.
Lookout Mobile Security has been instrumental is uncovering the Android Market fraud and working with Google to weed out the apps. Lookout believes the fraud is originating from Russia, so it gave the apps the apropos name "RuFraud".
A blog post last week from Lookout describes how the RuFraud apps work to steal money from users. "The initial batch appeared as horoscope apps with a fairly hidden ToS indicating charges. The initial application activity presents the user with a single option to continue, which is presumed to be an agreement to premium charges that are buried within layers of less than clear links."
It is easy to paint this as a sign of weakness for Android. Of the major mobile platforms, Android is the only one that allows apps to be distributed through its official app store without being verified first, and Android also allows for purchasing apps from third-party app stores.
While it may be easier to distribute a shady app without an app store "gatekeeper," fraud is not unique to Android and doesn't really even need an app. Fraud is one of the oldest crimes in existence, and relies more on duping people, than on circumventing technology.
There are instances of SMS phishing scams that can trick people regardless of mobile platform. The victim receives a spam text message with a link of some sort. Inevitably, some users will click the link, and most likely end up "approving" some sort of charge--similar to the way the RuFraud apps work. Getting users to click on a link is a social engineering tactic that transcends the OS of the target mobile device.
Symantec recently reported on a completely different kind of fraud related to smartphones. Fraudsters marketed a software application called SMS Privato Spy that promises to enable you to, "view the phone screen live, activate and listen on the microphone, view call logs, and perform GPS tracking at all times" on a target smartphone, all for as little as $50.
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Advanced evasion techniques emerge
Organized cybercrime revealed
Inside the global hacker service economy
Anatomy of a DDoS extortion attack
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- FireEye Advanced Threat Protection KnowledgeVault
- Solving Cloud Complexity with Service Brokers with Cloud Security Alliance & NIST
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- #FFSec: Security pros to follow on Twitter, May 25
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - Step right up and listen to the security barker
- Is the title 'security evangelist' really that bad?
More Salted Hash with Bill Brenner
