Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Google Play Hit By One Click Billing Fraud

More than 200 Android apps have been designed to trick people into parting with up to $1,000 for adult content, warns Symantec.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Beware of Android apps that demand money in exchange for adult videos.

That warning comes from Symantec, which reports a recent surge in Android apps available via the official Google Play store, which are designed by scammers to fool people who are seeking adult-oriented videos.

"We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis," said security researcher Joji Hamada Monday in a blog post. "We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months."

[ Scams are everywhere -- beware texts bearing "gifts." Read SMS Spam Delivers More Malware, Scams. ]

The apps operate in the service of a scam that's known as one-click fraud, or one-click billing fraud. "In this scam, a person browsing the Internet is suddenly informed they have just agreed to pay a registration fee after simply clicking on a link," according to unrelated research published by a team at Carnegie Mellon University's Information Networking Institute. "They do not owe any money legally, but they pay the scammer out of feelings of shame for clicking on the link -- typically for pornographic material -- and to avoid further embarrassment if others were to mistakenly assume they subscribed to such material."

Geographically speaking, the good news -- for most people -- is that such attacks seem confined to the Japanese-language market, and the Carnegie Mellon team found that fewer than 10 criminal gangs appear to be behind such scams. The bad news for people snared by the scam, however, is that scammers can net 100,000 yen (about $1,000) in one go.

"One-click fraud is essentially unknown outside of Japan," according to research published last year by Trend Micro security researcher Jonathan Leopando. "Within Japan, however, it is frequent enough that government agencies keep track of cases that have been filed with their offices. Typically, around 400 new cases are reported every month. It is certain, however, that many other cases go unreported -- users may be afraid of going to law enforcement."

A more U.S.-focused variation on this type of scam is the Reveton malware, which freezes users' PCs and informs them that they must pay a fine to the FBI -- or some other law enforcement agency -- for viewing illicit or illegal material.

Although one-click fraud campaigns have long targeted PC users, Android malware designed for the same purpose was first spotted last year.

One cornerstone of the Android app security model is that users must authorize the types of behavior they'll grant to individual executables. But such defenses do little against one-click fraud scams. "Typically, the apps only require the user to accept the 'network communication' permission, although some variants do not require the user to accept any permissions," said Hamada. "This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app."

Still, Symantec said it's not clear how many people who downloaded the Japanese-language Android scamming apps would have ultimately paid up. "However, it appears to be worth the time and effort for the scammers as they have continued doing business for over two months," said Hamada.

Interestingly, Symantec has seen signs that some of the more than 50 developers behind the Japanese-language one-click fraud campaign have diversified into Android dating apps too. "It is not surprising to see scammers involved with both one-click fraud apps and dating service apps because these types of dating services are typically considered dodgy in Japan," said Hamada.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27241
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
CVE-2021-3497
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.
CVE-2021-3498
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.
CVE-2021-3505
PUBLISHED: 2021-04-19
A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat...
CVE-2020-27240
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The componentStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigg...