Slashdot Mirror

← Back to Stories (view on slashdot.org)

Majority of Mobile Malware Now Reliant On Toll Fraud

Posted by timothy on from the reverse-the-charges-operator dept.

CowboyRobot writes "Spyware is no longer the primary concern with unwanted software on mobile devices. According to mobile security firm Lookout, most mobile malware performs 'toll fraud' — billing victims using premium SMS services. The problem is very geographically-dependent, worst in areas with weak SMS regulation, particularly China, Ukraine, and Russia, where users are 10,000 times more likely to have malware on their phones than users in Japan, for example. Other risks include mobile ads surreptitiously uploading personal data, as well as apps that download other malware without users knowing. The full report is available."

39 comments

  1. But... by Anonymous Coward · · Score: 5, Funny

    But... But... You cant have regulations, you have to let the Free Market....

    Thank god i live in a socialist hellhole where when this crap started to spring up it got massively stomped on by regulating the crap out of it.

    1. Re:But... by dinfinity · · Score: 4, Interesting

      Looking at Europe, policies indeed seem to influence matters significantly: https://www.mylookout.com/_gfx/page-images/state-mobile-security/likelihood-heat-map.jpg

      I'm not sure whether France and Norway are particularly lax in their SMS regulation, but it could be.

    2. Re:But... by Hazel+Bergeron · · Score: 4, Funny

      But.l. but... look at the infection rate in Somalia!

      As usual, the free market wins. I'm moving there tomorrow.

    3. Re:But... by Anonymous Coward · · Score: 0

      No, its actually dictatorship.

    4. Re:But... by Viol8 · · Score: 2, Insightful

      Dumb yank. Socialist != communist.

    5. Re:But... by Anonymous Coward · · Score: 2, Informative

      The Netherlands is in comparison pretty socialist, and it has a below average infection of malware, and you can smoke pot legally, and it has an above average IQ of 102!

      (source for last statement: http://www.sq.4mg.com/NationIQ.htm )

      Woo!

  2. Re:Slashdot rss feed broken by Anonymous Coward · · Score: 4, Funny

    stuck at "It's Easy To Steal Identities (Of Corporations)"

    try lifting the lid and blowing on it, then jiggle the cable... and if that doesn't work, give it a few good knocks on the side

  3. Re:Slashdot rss feed broken by Anonymous Coward · · Score: 0

    I dunno - he should try turning it of and on again first

  4. Why do we even need a system for premium rate SMS? by PSVMOrnot · · Score: 5, Insightful

    Seriously, why do we even need a system which lets people charge arbitrary ammounts via SMS? It's insecure, ripe for abuse and open to fraud. I don't think I have ever seen it used for a beneficial purpose, except perhaps for charity donations which could just as easily be done via another system.

    So, why not just shut the thing down? Or, heck just limit it to registered charities; it's not like anyone else uses it but those who prey on the weak (rip off custom ringtone companies, horoscope peddlers and malware)

  5. Re:Slashdot rss feed broken by Anonymous Coward · · Score: 0

    is it even plugged in?

  6. photos by Nesa2 · · Score: 1

    New wave of pictures, including unsuspecting smart phone user's private parts, flooding internet in 3,2,1..

  7. malware WITHOUT users knowing by FrontDoors · · Score: 1

    malware WITHOUT users knowing - is it possible at all?

  8. Re:Why do we even need a system for premium rate S by Anonymous Coward · · Score: 1

    Well telco's make money off it, so if you want it shut down you'll have to lobby against them.

  9. Simples - don't! by samjam · · Score: 1

    Don't install apps that require internet access or permission to make phone calls or send texts.

    Sadly this user abuse by apps is a form of idiot tax on users who don't or won't understand how to manage their own safety.

    --
    blog.sam.liddicott.com
    1. Re:Simples - don't! by Karlt1 · · Score: 0

      "Don't install apps that require internet access"

      And in that case most of my apps are completely useless.

      "or permission to make phone calls or send texts."

      You do notice that this is a problem with only Android?

      "on users who don't or won't understand how to manage their own safety."

      Why should I have to "manage my safety" on a cell phone?

      Wouldn't it be better if third party apps just generally weren't allowed to send SMS messages and make phone calls?

    2. Re:Simples - don't! by Anonymous Coward · · Score: 0

      "on users who don't or won't understand how to manage their own safety."

      Why should I have to "manage my safety" on a cell phone?

      I've been told many times here on /. that it is a general purpose computer in a phone form-factor, and that my desktop is soon to be an obsolete waste of space and electricity, but I find the concept of over-reliance on smartphones stupid for this very reason. You want cellphone - you buy a cellphone, you want a computer in your pocket - you buy a tablet.

      Wouldn't it be better if third party apps just generally weren't allowed to send SMS messages and make phone calls?

      Well, no, they're not _generally_ allowed. This is special permissions application has to ask for and there are valid use-cases for ability to call and send SMS. When a random app asks for these permissions it's damn suspicious and should probably be highlighted better in the store, but cutting it off completely would be throwing baby out with the bathwater.

    3. Re:Simples - don't! by alostpacket · · Score: 1

      You're right, almost all apps require internet access but not letting apps make phone calls or send texts is just the walled garden approach.

      Wouldn't it be better if third party apps just generally weren't allowed to send SMS messages and make phone calls?

      No. That would mean no alternative texting apps, or special dialers like T9 stuff. Additionally, the "Send SMS" permission is one of the most strongly worded by Google (one they actually explained well). It's even under the category of "Services that cost you money"

      Anyways, personally I don't think it's fair to blame the OS for what is clearly a rip-off by the carriers. The problem here is that people don't know that SMS can cost them money or that the carriers are happily complicit in the process.

      --
      PocketPermissions Android Permission Guide
  10. Only prepaid SIM cards for me... by Anonymous Coward · · Score: 5, Interesting

    I'm working as a programmer since nearly 20 years and I just love technology. I use Linux as a desktop since the early days of Slackware, back when it took quite a leap of faith.

    My cellphone? An iPhone... With a prepaid SIM card!

    That way I'm sure that: a) I'll spend way less than any "plan" (master plan one could say ; ) any operator could come up with and b) no malware / premium SMS service / crazy app/site eating my 3G bandwith can never "eat" more than the data limit available on my prepaid card.

    1. Re:Only prepaid SIM cards for me... by tlhIngan · · Score: 1

      My cellphone? An iPhone... With a prepaid SIM card!

      That way I'm sure that: a) I'll spend way less than any "plan" (master plan one could say ; ) any operator could come up with and b) no malware / premium SMS service / crazy app/site eating my 3G bandwith can never "eat" more than the data limit available on my prepaid card.

      Technically, malware like that on iPhone won't get very far because of Apple restrictions.

      First, an app can only send an SMS surreptitiously if it uses its own SMS network (kinda defeats the purpose of using the customer's SMS and phone bill). Otherwise it'll have to bring up the Messages app with the SMS pre-filled in and the user MUST click send on their own. There's no ability to send an SMS without the user knowing.

      Likewise, all phone calls route to the standard dialer (and Apple doesn't allow alternative dialers unless they're VoIP or run on their own network separate from the user's).

      The only thing malware can ding you for is 3G data doing these things, but that sort of payment only goes to the carrier, not so much a third party.

      So your prepaid method generally works much better on Android where you don't have such OS restrictions and walled gardens to deal with.

  11. Root cause by geekmux · · Score: 0, Offtopic

    Phone malware is reliant upon toll fraud?

    No, not really. Phone malware is reliant upon users who think they need to carry around their lives in the plam of their hands. It's also reliant on the greed of vendors who think that every single "phone" in the universe needs to have at least 4,027 features to compete with every other vendor, (oh, and also so they can try and charge you for 4,026 of them.)

    Go figure what happens when you increase your attack vector to the size of a commercial airline runway. Maybe we can stop calling these personal tracking superdevices "phones" now, because the only thing my old-fashioned phone could ever get "infected" with is rust.

  12. Re:Why do we even need a system for premium rate S by windviewer · · Score: 3, Insightful

    It would be reasonable to expect a means by which the consumer could opt out of premium SMS services (all of them) similar to having call blocks for long distance, 900 calls, etc. on your home phone. Even better, the default would off, and you would have to UNBLOCK the ability by contacting your telco. Alas, this would never be provided voluntarily by a telco without regulation...

  13. Re:Why do we even need a system for premium rate S by fph+il+quozientatore · · Score: 1

    Even better, this should be on a number-by-number basis.

    --
    My first program:

    Hell Segmentation fault

  14. Re:Why do we even need a system for premium rate S by iateyourcookies · · Score: 1

    FWIW It's a very useful alternative to parking meters... You text the premium number (cost is the same as a normal ticket) and the system replies with a code. That means the actual ticket machine doesn't need payment processing, and you don't need to carry change around.

  15. Re:Why do we even need a system for premium rate S by Anonymous Coward · · Score: 2, Informative

    Actually I use it for quite a few things.

    -) Paying parking fees. You just send a text with the amount if time you want to book and you can extend it without going to your car too. Getting the parking fee coupons on paper is a major PITA, you can only buy them in

    -) Paying for the washing mashine at my student dorm.

    You can also:

    -) Buy tickets for public transport.

    So it is quite usefull and I have not heard of any abuse using malware in my country. It only works for national numbers and therefore any fraud could be quickly prosecuted.

  16. Thats a relief! by antifoidulus · · Score: 1

    For a moment there I thought my mom was running a Russian Bride ring and trying to sell me one.... It's probably just malware...at least thats what I tell myself anyway.

    --
    Monstar L
  17. Re:Why do we even need a system for premium rate S by berashith · · Score: 3, Interesting

    you would think this is a reasonable request. My wife had a twenty dollar charge on a tmobile account, and they said that she had used "premium" network services. She had to pay that time, and went through every formal protest that she could just to record that it wasnt her and we would not pay twice. All of the texting plans outside of pure data ( g-chat, g-voice, email , etc) had already been disabled. 2 months later it happened again.We had to fight tooth and nail to get them to remove the charge, and then they ended up forgetting the promise to undo the charge and said it was our responsibility to have the charges removed by the vendor... completely ignoring the fact that as no service was purchased, there was no vendor to speak with. They also tried to say that anyone with the phone's email address could place charges to the number , and the tmobile would just pass through the charges. We knew this was obvious bullshit, and got the guy to bac down on that one. Hours later they finally realised that this is their issue, and that they were about to lose customers, so they gave the cash back " within 90 days".

  18. Re:Why do we even need a system for premium rate S by windviewer · · Score: 1

    I just checked and Bell Mobility (Canada) provides an Anti-SPAM service for your mobile phone that lets you block specific numbers in addition to other features. You only have to PAY $5 a month to save yourself from SPAM. You have to enter the number to block (I think this is backwards; you probably want to LIST the numbers you allow, and BLOCK all others; how do I know what all the SPAM phone numbers are in advance until I get one).

  19. Re:Why do we even need a system for premium rate S by xaxa · · Score: 3, Interesting

    It has some uses (see other replies), and it's OK if you have strong regulation of the service providers.

    Example here, which was news here last week:

    A malware attack targeted at 18 countries that cost unsuspecting users £15 every time they tried to open a ‘free’ app has been cut off by PhonepayPlus, the UK’s premium rate telephone services regulator. Sanctions imposed by the regulator’s Tribunal will see all money returned to UK consumers on top of a £50,000 fine imposed on the provider of the premium rate shortcodes that enabled the apps to fraudulently charge smartphone users.

    none of this £27,850 of UK consumers’ money reached the fraudsters.

    (The apps were "free" versions of popular apps, downloaded from alternative app stores -- not the Google one -- or websites.)

  20. Off by a factor of 10. by Dean+Edmonds · · Score: 2

    The report says that devices in Japan have a 0.04% chance of being infected. If China and Russia are "10,000 times more likely" to be infected then that would give them infection rates of 400%, which seems unlikely.

    In fact the report states that the rate for Russia is 41.6% making it "only" about 1,000 times more likely than Japan.

    --

    -deane

    1. Re:Off by a factor of 10. by Anonymous Coward · · Score: 0

      What's an order of magnitude between friends?

    2. Re:Off by a factor of 10. by Anonymous Coward · · Score: 0

      Math is hard.

  21. Re:Why do we even need a system for premium rate S by TheLink · · Score: 2

    They eventually gave you your cash back, but how many people would do what you did and fight them for the money?

    It's just a way of stealing lots of money from very many people. The telcos get a cut, so their bosses don't care.

    If you stole even 20 bucks from someone, they call the cops on you and you'd be in trouble, but the Telcos and their partners get away with stealing from thousands and thousands of people.

    --
  22. Re:Why do we even need a system for premium rate S by berashith · · Score: 1

    well... they backed out on the promise once, and failed to fix the issue to prevent it again. Now they have promised to reduce a bill in 60-90 days. So, as of yet, they are just pushing us around hoping we give up. I will only say they gave it back when we see it.

  23. Re:Why do we even need a system for premium rate S by dkf · · Score: 1

    It has some uses (see other replies), and it's OK if you have strong regulation of the service providers.

    The UK has such strong regulation of this area precisely because of abuse of the capability in the past; there was a spate of premium charges for various tricky things a number of years back (in the '90s IIRC) and so action was taken to stop fraudsters from getting the money. The core of the regulation is a mandatory delay (minimum 1 month?) between when the charge appears on the customer's bill and when the money reaches the owner of the premium service, which gives time for abuse to show up and be stomped on by the authorities, with restitution made as appropriate. Because it's hard to cash out with a fraudulent service, the UK isn't an attractive place for those wanting to do this sort of thing. The fact that it also stops this sort of thing is just a side-benefit.

    The down-side is that legitimate providers have to eat their costs for a while before they get the income arising from their service offering...

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  24. Re:Why do we even need a system for premium rate S by thegarbz · · Score: 1

    The issue is that this is an old service which well predates micro-payments. As such it has quite a large install base, just not anything useful you use on a day to day basis. I remember travelling through Europe for several months and it was a basic transaction form there. The best use was paying for public transport when you're already on the public transport. No need to queue at a machine and buy a ticket, just hope on the train and send a SMS. Paying for parking, and buying permits for some places we visited was another application.

    The problem is there's no clear replacement yet that ubiquitous. Mobile based payment systems are an emerging trend, Paypal is painfully slow and understandably many people want nothing to do with that company, and most of all this is a system which works for everyone with a phone. Not a smartphone with the latest and greatest NFC, not some fancy modern phone capable of running a specific payment app, not a web browers, but any old piece of crap junk phone.

    Security wise where I live I have the service disabled. I can't send premium SMSes from my phone, oh and I live in a country which has a consumer watchdog with some actual balls too so we don't have some of the weird exchanges with telcos you see in other replies.