Panda Security, The Cloud Security Company, has identified malicious apps on Google Play that can sign users up to premium SMS subscription services without their permission. These new threats have been able to infect at least 300,000 users so far, although the number of malicious downloads could have reached 1,200,000.
“Easy Hairdos”, “Abs Diets”, “Workout Routines” and “Cupcake Recipes” are among the malicious apps available for download on Google Play.
In the case of “Abs Diets”, for example, once the app has been installed and the user has accepted the terms and conditions of use of the service, the following happens: Firstly, the app displays a series of tips to reduce abdominal fat. Secondly, and without the user’s knowledge, the app looks for the phone number of the mobile device, connects to a Web page and signs the victim up to a premium SMS subscription service. However, how do fraudsters obtain the phone number of the device? The number is ‘stolen’ from one of the world’s most popular apps: WhatsApp. As soon as the user opens WhatsApp, the malicious app will get the phone number and save it as part of the data it needs to synchronize the account.
According to data from Google Play, this app has been downloaded by between 50,000 and 100,000 users. The other apps work in exactly the same way, so it is safe to say that the four malicious apps may have infected between 300,000 and 1,200,000 users in total.
“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, £20 paid by each user would result in a huge sum of 6 to 24 million pound stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.
Don’t Get In a Flap Protecting Your Mobile Devices
Regardless of the security solution installed on their devices, users must always read the list of permissions requested by apps before installing them. If an app requires permissions to access the Internet or read SMS messages when there is no need for it, it should not be installed.
The Panda Mobile Security (v1.1) “Privacy Auditor” feature classifies apps with permissions to sign users up for premium SMS services under the “Cost Money” category, from where they can be easily removed.
“Not every app that is included in that category is malicious, as it may need access to calls or SMSs to fulfill its primary function. Having said that, any app with permissions to act in the described manner could be considered dangerous, and if the user sees apps with permissions they should not have, they should remove them immediately”, explained Corrons.
“These apps might stay on Google Play for a long time as, in the end, it is the users themselves who willingly accept the apps’ terms of service, an aspect which might be used by fraudsters as a defense. A defense, in any case, not strong enough to prevent our solution Panda Mobile Security from identifying their intentions”, added Corrons.
Since its recent removal from the Google Play store the interest in the “Flappy Bird” app has gone through the roof leading to scammers launching fake “Flappy Bird” apps, identical to the original except they come with additional premium-SMS capabilities. If you are unable to locate “Flappy Bird” then there are a number of interesting alternatives including Sesame Street’s “Flappy Bert” and Fall Out Boy’s “Fall Out Bird”.
More info, in PandaLabs Blog.
About Panda Security
Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions, with products available in more than 23 languages and millions of users located in 195 countries around the world. Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology. This innovative security model can automatically analyze and classify thousands of new malware samples every day, guaranteeing corporate customers and home users the most effective protection against Internet threats with minimum impact on system performance. Panda Security has 56 offices throughout the globe with US headquarters in Florida and European headquarters in Spain
Panda Security collaborates with The Stella Project, a program aimed at promoting the incorporation into the community and workplace of people with Down syndrome and other intellectual disabilities, as part of its Corporate Social Responsibility policy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.