Risk
4/2/2013
11:18 AM
50%
50%

Google Play Hit By One Click Billing Fraud

More than 200 Android apps have been designed to trick people into parting with up to $1,000 for adult content, warns Symantec.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Beware of Android apps that demand money in exchange for adult videos.

That warning comes from Symantec, which reports a recent surge in Android apps available via the official Google Play store, which are designed by scammers to fool people who are seeking adult-oriented videos.

"We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis," said security researcher Joji Hamada Monday in a blog post. "We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months."

[ Scams are everywhere -- beware texts bearing "gifts." Read SMS Spam Delivers More Malware, Scams. ]

The apps operate in the service of a scam that's known as one-click fraud, or one-click billing fraud. "In this scam, a person browsing the Internet is suddenly informed they have just agreed to pay a registration fee after simply clicking on a link," according to unrelated research published by a team at Carnegie Mellon University's Information Networking Institute. "They do not owe any money legally, but they pay the scammer out of feelings of shame for clicking on the link -- typically for pornographic material -- and to avoid further embarrassment if others were to mistakenly assume they subscribed to such material."

Geographically speaking, the good news -- for most people -- is that such attacks seem confined to the Japanese-language market, and the Carnegie Mellon team found that fewer than 10 criminal gangs appear to be behind such scams. The bad news for people snared by the scam, however, is that scammers can net 100,000 yen (about $1,000) in one go.

"One-click fraud is essentially unknown outside of Japan," according to research published last year by Trend Micro security researcher Jonathan Leopando. "Within Japan, however, it is frequent enough that government agencies keep track of cases that have been filed with their offices. Typically, around 400 new cases are reported every month. It is certain, however, that many other cases go unreported -- users may be afraid of going to law enforcement."

A more U.S.-focused variation on this type of scam is the Reveton malware, which freezes users' PCs and informs them that they must pay a fine to the FBI -- or some other law enforcement agency -- for viewing illicit or illegal material.

Although one-click fraud campaigns have long targeted PC users, Android malware designed for the same purpose was first spotted last year.

One cornerstone of the Android app security model is that users must authorize the types of behavior they'll grant to individual executables. But such defenses do little against one-click fraud scams. "Typically, the apps only require the user to accept the 'network communication' permission, although some variants do not require the user to accept any permissions," said Hamada. "This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app."

Still, Symantec said it's not clear how many people who downloaded the Japanese-language Android scamming apps would have ultimately paid up. "However, it appears to be worth the time and effort for the scammers as they have continued doing business for over two months," said Hamada.

Interestingly, Symantec has seen signs that some of the more than 50 developers behind the Japanese-language one-click fraud campaign have diversified into Android dating apps too. "It is not surprising to see scammers involved with both one-click fraud apps and dating service apps because these types of dating services are typically considered dodgy in Japan," said Hamada.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?