SMS Fraud Is Not Unique to Android
Google is yanking a number of apps from the Android Market after discovering that they are fraudulent. Although such apps are more likely to be found with Android than on rival platforms, the concept of fraud is an equal opportunity threat that extends far beyond Android mobile devices.
First, a little background on the action in the Android Market. Google has reportedly removed 22 apps from the Android Market that were identified as fraudulent. The apps in question pose as legitimate, popular apps like Angry Birds, or the Opera Mobile browser, but lure users into sending costly premium SMS text messages.
Lookout Mobile Security has been instrumental in uncovering the Android Market fraud and working with Google to weed out the apps. Lookout believes the fraud is originating from Russia, so it gave the apps the apropos name “RuFraud”.
A blog post last week from Lookout describes how the RuFraud apps work to steal money from users. “The initial batch appeared as horoscope apps with a fairly hidden ToS indicating charges. The initial application activity presents the user with a single option to continue, which is presumed to be an agreement to premium charges that are buried within layers of less than clear links.”
It is easy to paint this as a sign of weakness for Android. Of the major mobile platforms, Android is the only one that allows apps to be distributed through its official app store without being verified first, and Android also allows for purchasing apps from third-party app stores.
While it may be easier to distribute a shady app without an app store “gatekeeper,” fraud is not unique to Android and doesn’t really even need an app. Fraud is one of the oldest crimes in existence, and relies more on duping people than on circumventing technology.
There are instances of SMS phishing scams that can trick people regardless of mobile platform. The victim receives a spam text message with a link of some sort. Inevitably, some users will click the link, and most likely end up “approving” some sort of charge—similar to the way the RuFraud apps work. Getting users to click on a link is a social engineering tactic that transcends the OS of the target mobile device.
Symantec recently reported on a completely different kind of fraud related to smartphones. Fraudsters marketed a software application called SMS Privato Spy that promises to enable you to, “view the phone screen live, activate and listen on the microphone, view call logs, and perform GPS tracking at all times” on a target smartphone, all for as little as $50.
The problem is that no such app exists. If you fall for the marketing and “buy” SMS Privato Spy, the fraudsters will simply take your money and run.
The weak spot when it comes to fraud is not Android, or iOS, or any mobile platform or desktop operating system. The Achilles heel for fraud is the users—the naïve, gullible user—that falls for the bait and unwittingly approves transactions or volunteers to pay for things that don’t exist.
The bottom line in the case of the fraudulent Android apps is that the apps do disclose what they intend to do, and the user is approving that activity by accepting the agreement. The terms are intentionally buried, and we all know that nobody actually reads the terms of service (ToS), or end-user license agreement (EULA) before accepting it, but there are still some simple tricks you can use to avoid being a victim of this type of fraud.
For starters, let the community be your police. Stick with apps that are more heavily downloaded and reviewed. If you do download a more obscure app that has been rarely downloaded, or has only a handful of reviews, be more vigilant about the permissions the app is requesting. Does a game like Angry Birds really need access to send SMS text messages on your behalf?
Users need to be better educated about mobile security in general, and more aware of emerging scams so they can recognize and avoid them. Most importantly, though, people need to exercise some common sense and healthy dose of skepticism to steer clear of these kinds of threats.