Angry Birds Malware Sparks $78,000 Fine - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Angry Birds Malware Sparks $78,000 Fine

British regulators crack down on Latvian company behind the RuFraud malware scheme that placed 27 fake versions of Android apps, including Angry Birds Space, on Google Play.

British regulators have levied fines of 50,000 in British Pounds ($78,000) on a Latvian company for its role in a scam campaign involving RuFraud malware hidden inside fake Android applications, which nearly bilked users out of 27,850 Pounds ($43,600).

All told, 27 RuFraud-hiding apps--including wallpaper apps for popular movies, as well as supposed downloaders for popular games, such as Angry Birds Space, Cut the Rope, and Assassin's Creed--were made available via the Android application market now known as Google Play. "Many of the fake apps were advertised as free, but when an unsuspecting smartphone owner downloaded the malicious app, premium rate text messages were charged to their phone bill," according to a blog post from mobile security firm Lookout, which spotted the RuFraud apps and worked with Google to remove them.

But the applications would charge users the equivalent of $23.50 every time they attempted to open the app. "These fake apps were advertised as free but contained malicious coding (malware) that charged the phone's account 15 [Pounds] every time the app was opened (usually charged through three 5 [Pound] premium rate texts)," according to a statement released by PhonepayPlus, which regulates the United Kingdom's premium-phone-number services. "The malware suppressed the sent and received text messages that notify users they have been charged. It was only when consumers received their bill that they were alerted to the fraudulent charges."

[ Mobile malware researchers are developing new crimefighting tools. See Researchers 'Map' Android Malware Genome. ]

The Android apps requested permission to send SMS messages that might result in the user being charged, and mentioned premium pricing in the applications' terms of service, although security experts said the disclosure was so buried that it would have been difficult to find.

All told, the malicious applications were downloaded 14,000 times and affected 1,391 mobile numbers in the United Kingdom. But PhonepayPlus said that thanks to the "industry's swift action in identifying the malware," it was able to quickly suspend the SMS premium shortcode used in the attacks, as well as to prevent any of the ill-gotten money from ever reaching A1 Agregator Limited, which "had control of, and responsibility for, the premium rate payment system which enabled the malware to fraudulently charge consumers' mobile phone accounts."

In addition to levying the 50,000 Pound fine against A1 Agregator, PhonepayPlus said that the company--which has an office in London, but which is based in Latvia--has three months to refund all affected users, whether or not they lodge a complaint.

When it came to the attack, A1 Agregator "didn't do the correct vetting," said a PhonepayPlus spokesman via phone, and thus enabled the scam to occur. "The idea for us is to make a company stop and think before they enable it, and also to make the U.K. unattractive--because they didn't get the money." That's thanks to all funds collected by country's premium-rate services being automatically held for 30 days before being released, and this attack having been spotted within the 30-day window.

According to Lookout, the RuFraud application scam targeted people in 18 countries, including not just Britain, but also France, Germany, Israel, Latvia, Poland, and Russia, although not the United States. But it's unclear how many people in the other 17 targeted countries may have been affected by the malware.

"It was very clever, it picked up on the correct country code based on which type of SIM card was in the phone," said the PhonepayPlus spokesman. He said his agency had informed other countries about the results of its investigation.

Whether the vector is a phishing scam, a lost iPod loaded with sensitive data, or an email-borne worm slithering through a public account, our Well-Meaning Employees--And How To Stop Them report gives you pointers on keeping well-meaning end users from blowing up your systems from the inside. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll