Consumers face SMS fraud wave, report predicts

The first and long-awaited wave of mobile crime is hitting users in the form of crude tariff and messaging fraud, an analysis by security company AdaptiveMobile has suggested.

In its Global Security Insight for Mobile, Adaptive reviews threats seen in 2010, ranging from proof-of-concept malware attacks adapted from the Windows environment to increasingly common but basic social engineering or Nigerian 419/411 attacks.

The latter turn out to be the most common way for ordinary subscribers to be defrauded in and beyond the EU, and usually involve some form of mobile spam offering a non-existent prize, or asking users to ring premium rate or international number.

With SMS messages becoming cheaper to send in developed countries, the last year has seen a marked uptick in these crimes helped along by response rates of up to 1-2 percent that can only be dreamed of by conventional email spammers. There are also 4 billion SMS users globally compared to only 1.4 billion for email.

In the most sophisticated example looked at by Adaptive from last year, criminals even went as far as to create a fake Android application, FakePlayer-B, purporting to be an adult media player but which was actually designed to send texts to a premium rate number at $6 a time. A second example, 3D Anti-Terrorist Action, hijacked a legitimate game app to secretly make expensive calls to an international number.

In neither case would the user have known what was happening, despite clues buried in the app permissions revealed during installation.

In contrast, the Zeus Mitmo malware which attacked attacking banking apps running on Symbian and BlackBerry, shows that criminals are still not beyond re-engineering conventional PC threats to carry out established data stealing activities.

A key issue is how the user reacts to mobile spam or ends up installing bogus apps on a smartphones. Users appear to be more likely to react to SMS spam by replying which explains the much higher response rates – which plays into the hands of fraudsters looking to verify a mobile umber of just make money from premium rate scams.

As to apps, getting malware on to a smartphone is far more demanding than on a PC thanks to more thorough vetting, published user feedback and the system of application permissions. Despite this, users are also inclined to install large numbers of apps without paying enough attention which offers plenty of scope for social engineering attacks.

Theres still a lot of confusion amongst consumer and enterprise subscribers as to where the real threats lie and what can be done to combat them, particularly as the threats and handsets are becoming more sophisticated and therefore complex, commented AdaptiveMobile COO, Gareth Maclachlan.

We predict that compound threats will seriously shake up the telecoms and security markets over the coming year.