Risk
4/2/2013
11:18 AM
50%
50%

Google Play Hit By One Click Billing Fraud

More than 200 Android apps have been designed to trick people into parting with up to $1,000 for adult content, warns Symantec.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Beware of Android apps that demand money in exchange for adult videos.

That warning comes from Symantec, which reports a recent surge in Android apps available via the official Google Play store, which are designed by scammers to fool people who are seeking adult-oriented videos.

"We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis," said security researcher Joji Hamada Monday in a blog post. "We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months."

[ Scams are everywhere -- beware texts bearing "gifts." Read SMS Spam Delivers More Malware, Scams. ]

The apps operate in the service of a scam that's known as one-click fraud, or one-click billing fraud. "In this scam, a person browsing the Internet is suddenly informed they have just agreed to pay a registration fee after simply clicking on a link," according to unrelated research published by a team at Carnegie Mellon University's Information Networking Institute. "They do not owe any money legally, but they pay the scammer out of feelings of shame for clicking on the link -- typically for pornographic material -- and to avoid further embarrassment if others were to mistakenly assume they subscribed to such material."

Geographically speaking, the good news -- for most people -- is that such attacks seem confined to the Japanese-language market, and the Carnegie Mellon team found that fewer than 10 criminal gangs appear to be behind such scams. The bad news for people snared by the scam, however, is that scammers can net 100,000 yen (about $1,000) in one go.

"One-click fraud is essentially unknown outside of Japan," according to research published last year by Trend Micro security researcher Jonathan Leopando. "Within Japan, however, it is frequent enough that government agencies keep track of cases that have been filed with their offices. Typically, around 400 new cases are reported every month. It is certain, however, that many other cases go unreported -- users may be afraid of going to law enforcement."

A more U.S.-focused variation on this type of scam is the Reveton malware, which freezes users' PCs and informs them that they must pay a fine to the FBI -- or some other law enforcement agency -- for viewing illicit or illegal material.

Although one-click fraud campaigns have long targeted PC users, Android malware designed for the same purpose was first spotted last year.

One cornerstone of the Android app security model is that users must authorize the types of behavior they'll grant to individual executables. But such defenses do little against one-click fraud scams. "Typically, the apps only require the user to accept the 'network communication' permission, although some variants do not require the user to accept any permissions," said Hamada. "This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app."

Still, Symantec said it's not clear how many people who downloaded the Japanese-language Android scamming apps would have ultimately paid up. "However, it appears to be worth the time and effort for the scammers as they have continued doing business for over two months," said Hamada.

Interestingly, Symantec has seen signs that some of the more than 50 developers behind the Japanese-language one-click fraud campaign have diversified into Android dating apps too. "It is not surprising to see scammers involved with both one-click fraud apps and dating service apps because these types of dating services are typically considered dodgy in Japan," said Hamada.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.