Risk
4/2/2013
11:18 AM
50%
50%

Google Play Hit By One Click Billing Fraud

More than 200 Android apps have been designed to trick people into parting with up to $1,000 for adult content, warns Symantec.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Beware of Android apps that demand money in exchange for adult videos.

That warning comes from Symantec, which reports a recent surge in Android apps available via the official Google Play store, which are designed by scammers to fool people who are seeking adult-oriented videos.

"We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis," said security researcher Joji Hamada Monday in a blog post. "We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months."

[ Scams are everywhere -- beware texts bearing "gifts." Read SMS Spam Delivers More Malware, Scams. ]

The apps operate in the service of a scam that's known as one-click fraud, or one-click billing fraud. "In this scam, a person browsing the Internet is suddenly informed they have just agreed to pay a registration fee after simply clicking on a link," according to unrelated research published by a team at Carnegie Mellon University's Information Networking Institute. "They do not owe any money legally, but they pay the scammer out of feelings of shame for clicking on the link -- typically for pornographic material -- and to avoid further embarrassment if others were to mistakenly assume they subscribed to such material."

Geographically speaking, the good news -- for most people -- is that such attacks seem confined to the Japanese-language market, and the Carnegie Mellon team found that fewer than 10 criminal gangs appear to be behind such scams. The bad news for people snared by the scam, however, is that scammers can net 100,000 yen (about $1,000) in one go.

"One-click fraud is essentially unknown outside of Japan," according to research published last year by Trend Micro security researcher Jonathan Leopando. "Within Japan, however, it is frequent enough that government agencies keep track of cases that have been filed with their offices. Typically, around 400 new cases are reported every month. It is certain, however, that many other cases go unreported -- users may be afraid of going to law enforcement."

A more U.S.-focused variation on this type of scam is the Reveton malware, which freezes users' PCs and informs them that they must pay a fine to the FBI -- or some other law enforcement agency -- for viewing illicit or illegal material.

Although one-click fraud campaigns have long targeted PC users, Android malware designed for the same purpose was first spotted last year.

One cornerstone of the Android app security model is that users must authorize the types of behavior they'll grant to individual executables. But such defenses do little against one-click fraud scams. "Typically, the apps only require the user to accept the 'network communication' permission, although some variants do not require the user to accept any permissions," said Hamada. "This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app."

Still, Symantec said it's not clear how many people who downloaded the Japanese-language Android scamming apps would have ultimately paid up. "However, it appears to be worth the time and effort for the scammers as they have continued doing business for over two months," said Hamada.

Interestingly, Symantec has seen signs that some of the more than 50 developers behind the Japanese-language one-click fraud campaign have diversified into Android dating apps too. "It is not surprising to see scammers involved with both one-click fraud apps and dating service apps because these types of dating services are typically considered dodgy in Japan," said Hamada.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7830
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse cap...

CVE-2014-7831
Published: 2014-11-24
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVE-2014-7832
Published: 2014-11-24
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by vi...

CVE-2014-7833
Published: 2014-11-24
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVE-2014-7834
Published: 2014-11-24
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?