11:18 AM

Google Play Hit By One Click Billing Fraud

More than 200 Android apps have been designed to trick people into parting with up to $1,000 for adult content, warns Symantec.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Beware of Android apps that demand money in exchange for adult videos.

That warning comes from Symantec, which reports a recent surge in Android apps available via the official Google Play store, which are designed by scammers to fool people who are seeking adult-oriented videos.

"We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis," said security researcher Joji Hamada Monday in a blog post. "We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months."

[ Scams are everywhere -- beware texts bearing "gifts." Read SMS Spam Delivers More Malware, Scams. ]

The apps operate in the service of a scam that's known as one-click fraud, or one-click billing fraud. "In this scam, a person browsing the Internet is suddenly informed they have just agreed to pay a registration fee after simply clicking on a link," according to unrelated research published by a team at Carnegie Mellon University's Information Networking Institute. "They do not owe any money legally, but they pay the scammer out of feelings of shame for clicking on the link -- typically for pornographic material -- and to avoid further embarrassment if others were to mistakenly assume they subscribed to such material."

Geographically speaking, the good news -- for most people -- is that such attacks seem confined to the Japanese-language market, and the Carnegie Mellon team found that fewer than 10 criminal gangs appear to be behind such scams. The bad news for people snared by the scam, however, is that scammers can net 100,000 yen (about $1,000) in one go.

"One-click fraud is essentially unknown outside of Japan," according to research published last year by Trend Micro security researcher Jonathan Leopando. "Within Japan, however, it is frequent enough that government agencies keep track of cases that have been filed with their offices. Typically, around 400 new cases are reported every month. It is certain, however, that many other cases go unreported -- users may be afraid of going to law enforcement."

A more U.S.-focused variation on this type of scam is the Reveton malware, which freezes users' PCs and informs them that they must pay a fine to the FBI -- or some other law enforcement agency -- for viewing illicit or illegal material.

Although one-click fraud campaigns have long targeted PC users, Android malware designed for the same purpose was first spotted last year.

One cornerstone of the Android app security model is that users must authorize the types of behavior they'll grant to individual executables. But such defenses do little against one-click fraud scams. "Typically, the apps only require the user to accept the 'network communication' permission, although some variants do not require the user to accept any permissions," said Hamada. "This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app."

Still, Symantec said it's not clear how many people who downloaded the Japanese-language Android scamming apps would have ultimately paid up. "However, it appears to be worth the time and effort for the scammers as they have continued doing business for over two months," said Hamada.

Interestingly, Symantec has seen signs that some of the more than 50 developers behind the Japanese-language one-click fraud campaign have diversified into Android dating apps too. "It is not surprising to see scammers involved with both one-click fraud apps and dating service apps because these types of dating services are typically considered dodgy in Japan," said Hamada.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a firestarter.py supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.