All told, 27 RuFraud-hiding apps--including wallpaper apps for popular movies, as well as supposed downloaders for popular games, such as Angry Birds Space, Cut the Rope, and Assassin's Creed--were made available via the Android application market now known as Google Play. "Many of the fake apps were advertised as free, but when an unsuspecting smartphone owner downloaded the malicious app, premium rate text messages were charged to their phone bill," according to a blog post from mobile security firm Lookout, which spotted the RuFraud apps and worked with Google to remove them.
But the applications would charge users the equivalent of $23.50 every time they attempted to open the app. "These fake apps were advertised as free but contained malicious coding (malware) that charged the phone's account 15 [Pounds] every time the app was opened (usually charged through three 5 [Pound] premium rate texts)," according to a statement released by PhonepayPlus, which regulates the United Kingdom's premium-phone-number services. "The malware suppressed the sent and received text messages that notify users they have been charged. It was only when consumers received their bill that they were alerted to the fraudulent charges."
[ Mobile malware researchers are developing new crimefighting tools. See Researchers 'Map' Android Malware Genome. ]
The Android apps requested permission to send SMS messages that might result in the user being charged, and mentioned premium pricing in the applications' terms of service, although security experts said the disclosure was so buried that it would have been difficult to find.
All told, the malicious applications were downloaded 14,000 times and affected 1,391 mobile numbers in the United Kingdom. But PhonepayPlus said that thanks to the "industry's swift action in identifying the malware," it was able to quickly suspend the SMS premium shortcode used in the attacks, as well as to prevent any of the ill-gotten money from ever reaching A1 Agregator Limited, which "had control of, and responsibility for, the premium rate payment system which enabled the malware to fraudulently charge consumers' mobile phone accounts."
In addition to levying the 50,000 Pound fine against A1 Agregator, PhonepayPlus said that the company--which has an office in London, but which is based in Latvia--has three months to refund all affected users, whether or not they lodge a complaint.
When it came to the attack, A1 Agregator "didn't do the correct vetting," said a PhonepayPlus spokesman via phone, and thus enabled the scam to occur. "The idea for us is to make a company stop and think before they enable it, and also to make the U.K. unattractive--because they didn't get the money." That's thanks to all funds collected by country's premium-rate services being automatically held for 30 days before being released, and this attack having been spotted within the 30-day window.
According to Lookout, the RuFraud application scam targeted people in 18 countries, including not just Britain, but also France, Germany, Israel, Latvia, Poland, and Russia, although not the United States. But it's unclear how many people in the other 17 targeted countries may have been affected by the malware.
"It was very clever, it picked up on the correct country code based on which type of SIM card was in the phone," said the PhonepayPlus spokesman. He said his agency had informed other countries about the results of its investigation.
Whether the vector is a phishing scam, a lost iPod loaded with sensitive data, or an email-borne worm slithering through a public account, our Well-Meaning Employees--And How To Stop Them report gives you pointers on keeping well-meaning end users from blowing up your systems from the inside. (Free registration required.)