Don’t blame Android – mobile fraudsters prey on the naive

Google is yanking a number of apps from the Android Market after discovering that they are fraudulent. Although such apps are more likely to be found with Android than on rival platforms, the concept of fraud is an equal opportunity threat that extends far beyond Android mobile devices.

First, a little background on the action in the Android Market. Googlehas reportedly removed 22 apps from the Android Market that wereidentified as fraudulent. The apps in question pose as legitimate,popular apps like Angry Birds, or the Opera Mobilebrowser, but lureusers into sending costly premium SMS text messages.

Lookout MobileSecurity has been instrumental is uncovering the AndroidMarket fraud and working with Google to weed out the apps. Lookoutbelieves the fraud is originating from Russia, so it gave the apps theapropos name “RuFraud”.

A blogpost last week from Lookout describes how the RuFraud appswork to steal money from users. “The initial batch appeared ashoroscope apps with a fairly hidden ToS indicating charges. The initialapplication activity presents the user with a single option tocontinue, which is presumed to be an agreement to premium charges thatare buried within layers of less than clear links.”

It is easy to paint this as a sign of weakness for Android. Ofthe major mobile platforms, Android is the only one that allows apps tobe distributed through its official app store without being verifiedfirst, and Android also allows for purchasing apps from third-party appstores.

While it may be easier to distribute a shady app without anapp store “gatekeeper,” fraud is not unique to Android and doesn’treally even need an app. Fraud is one of the oldest crimes inexistence, and relies more on duping people, than on circumventingtechnology.

There are instances of SMS phishing scams that can trickpeople regardless of mobile platform. The victim receives a spam textmessage with a link of some sort. Inevitably, some users will click thelink, and most likely end up “approving” some sort of charge–similarto the way the RuFraud apps work. Getting users to click on a link is asocial engineering tactic that transcends the OS of the target mobiledevice.

Symantecrecently reported on a completelydifferent kind of fraud related to smartphones. Fraudstersmarketed a software application called SMS Privato Spy that promises toenable you to, “view the phone screen live, activate and listen on themicrophone, view call logs, and perform GPS tracking at all times” on atarget smartphone, all for as little as $50.
The problem is that no such app exists. If you fall for the marketingand “buy” SMS Privato Spy, the fraudsters will simply take your moneyand run.

Biggest weak spot is users, notAndroid
The weak spot when it comes to fraud is not Android, or iOS, or anymobile platform or desktop operating system. The Achilles heel forfraud is the users–the naïve, gullible user–that falls for the baitand unwittingly approves transactions or volunteers to pay for thingsthat don’t exist.

The bottom line in the case of the fraudulent Android apps is that theapps do disclose what they intend to do, and the user is approving thatactivity by accepting the agreement. The terms are intentionallyburied, and we all know that nobody actually reads the terms of service(ToS), or end-user license agreement (EULA) before accepting it, butthere are still some simple tricks you can use to avoid being a victimof this type of fraud.

For starters, let the community be your police. Stick with apps thatare more heavily downloaded and reviewed. If you do download a moreobscure app that has been rarely downloaded, or has only a handful ofreviews, be more vigilant about the permissions the app is requesting.Does a game like Angry Birds really need access to send SMS textmessages on your behalf?

Users need to be better educated about mobile security in general, andmore aware of emerging scams so they can recognize and avoid them. Mostimportantly, though, people need to exercise some common sense andhealthy dose of skepticism to steer clear of these kinds of threats.