You may not have heard of it, but a premium SMS scam is one of the most common ways of using your phone to diddle you out of your hard-earned. And with Android becoming more popular, the threat is only going to increase.
But what is it? How does it work? And what can you do about it? We’ve spoken to the experts to bring you the lowdown on staying safe while using your mobile.
The more advanced mobiles become, the safer they are, right? Well up to a point. When malicious apps find their way into Apple’s usually Fort Knox-like App Store, you know something is up. So Android, with its open source nature, has had its fair share of trouble.
How bad is the problem?
“In 2011, premium SMS scams were the most common form of malware in the world,” says Kevin Mahaffey, founder and CTO of Lookout Mobile Security.
“Last year, 20 percent of all malicious Android apps used premium SMS,” adds Tom Parsons, director of development for Symantec security response, and spokesperson for Norton. “That figure has only grown, and now it’s closer to 30 or 40 percent.” So that means almost half of the dodgy apps plaguing Android use this method to try to defraud you.
Recent examples include apps masquerading as Super Mario Bros. and Grand Theft Auto. Both games hid a trojan known as Dropdialer: once installed, it would download an extra package via Dropbox, which would send messages to premium-rate SMS numbers in Europe. The malware would then uninstall the extra package, hiding any hint of any wrongdoing. It’s estimated both fraudulent apps were downloaded between 50,000 and 100,000 times.
Simple but effective
The reason the premium SMS scam is so common is because of how simple it is.
“Premium SMS is the way the bad guys are making money on Android right now, plain and simple,” Parsons says. “It’s low hanging fruit for those guys. It’s very easy to set up. If you want to target users around Europe, you just need to go to various premium SMS providers in the locations, get your short code, and if you’ve got your malware deployed you can make money quite quickly.”
And it’s a relatively new phenomenon; the Android platform launched in 2008, but it didn’t attract the bad guys for a couple of years.
“The first Android malware we saw was in 2010,” Parsons says. “That was largely confined to Russia. In 2011 we saw it spread around the world – GGTracker in the US, and some European countries were impacted by various Android threats. And we saw the emergence of malware for Android in China.
“Very early on, the bad guys realised that if they wanted to make money from their Android malware creations, they had to do it globally, and through premium SMS. It’s a very standardised way of making money on smartphones.”
How it works
Premium SMS scams are a kind of double-edged sword: not only are they simple to set up, you might not even know you’re being conned. Until you get your phone bill, at least.
“Typically whoever’s doing it makes an app that looks like a big name like Angry Birds to maximise downloads,” Parsons says. (As well as Super Mario Bros. and Grand Theft Auto, malware has recently imitated photo-sharing app Instagram and Angry Birds Space.)
“Very often the legitimate app is packaged alongside the trojanised one,” Parsons continues. “When you run the application, it’ll request a lot more permissions than the legitimate one. Then the premium SMS component does its work in the background.”
Mahaffey picks up on the process.
“The malicious app sends an SMS message to what’s called a premium short code,” he says. “And the short code will say ‘I want to buy this’ and the application will do the rest. It all happens in the background, without your knowledge.
“They already have your credit card details from registering the app, so for a bad guy it’s like pushing a single button. It’s perhaps the most effective tool for defrauding someone.”
So how do you stay safe? It’s not as simple as avoiding any apps that ask for permission to send SMS. Some use it perfectly legitimately, for letting friends know about a game you’re playing, for example. And Lookout’s own app has a function to help find your phone, which involves sending an SMS.
Rather, you should look at which permissions the app requests, and think about whether it needs them for its professed purpose.
“You should watch the installation process from the start as well, because sometimes these trojanised apps may appear to come from Google Play, but in fact they’re from a fake third party market,” Parsons says. ”So just be aware of anything unusual in the installation process.”
While Google Play is far from 100 percent safe, the experts recommend you stick to it to decrease your chances of downloading some nasty malware.
Android: A victim of its own success
While Apple’s App Store has seen its own share of malware apps of late, Android has far more of a problem. But it’s not just because it’s open source, without any of Apple’s strict regulations for submitting apps. Rather, it’s because it’s bigger worldwide, and so means richer pickings: according to recent figures from Gartner, Android accounts for 43 percent of all smartphones globally.
“Android is also easier to write software for, because it uses Java, which is the most commonly-used programming language in the world,” Mahaffey says. ”Whereas Apple uses its own programming language not many people will know.
“So these things that make it easier for developers also make it easier for the bad guys to target. But you can’t fault Android for having an easy-to-use UI and being very popular. It’s just an unfortunate situation that by making it very popular, it’s a natural target for the bad guys.”
To write iOS apps, you need a Mac as well, and this kind of malware tends to originate in Russia and China, where cheaper PCs predominate.
Fighting the good fight
While the problem is growing, with Symantec estimating it’s identifying 10,000 malicious Android apps every month, all is not lost. In fact, Britain is leading the way in combatting premium SMS scams on Android.
“PhonepayPlus – the UK premium SMS regulator – has taken a world-leading role in the fight against malware,” Parsons says. “In the last two or three months they suspended a number of short codes that they identified had been sold to people using malware. And based on that, they stopped anyone making money from phones infected with a piece of malware called Rufraud.”
Rufraud was particularly nasty, prompting Google to remove 22 apps from Google Play (then known as Android Market) before Christmas.
“PhonepayPlus was the first regulator in the world to suspend codes like this,” Parsons continues. “If the same approach was applied globally it’d kill the opportunity for making money by premium SMS, and force the bad guys to move up the monetisation food chain.”
Realistically this probably won’t happen, at least not anytime soon; not all regulators operate in the same way, and some countries don’t even have them. But still, it’s a start.