"The new type not only requires clicks, but it also requires users to send an email in order to register to become a member of a service, call a given phone number to acquire a password, and enter the password to log into the fraudulent site," said Joji Hamada, a Japan-based researcher with Symantec, in a blog post. "That's quite a bit of work to get through just to be scammed."
Users who successfully jump through those hoops, however, get hit with a bill of over $3,000 -- and given just three days to pay -- for what's labeled as an annual subscription fee to an online adult video site.
Scammers also help lure people to their apps by "abusing the search function on Google Play," which helps keep these apps at the top of search results, said Hamada. "A test search carried out by Symantec resulted in 21 out of 24 top hits being malicious apps," he said.
[ Screen your mobile scheme for security holes. Read Appthority Portal Helps Assess Mobile Risk. ]
To be clear, one-click fraud -- also known as one-click billing fraud -- is an attempt by criminals to trick people into parting with their money. "In this scam, a person browsing the Internet is suddenly informed they have just agreed to pay a registration fee after simply clicking on a link," according to a 2010 research report published by a team at Carnegie Mellon University's Information Networking Institute. "They do not owe any money legally, but they pay the scammer out of feelings of shame for clicking on the link -- typically for pornographic material -- and to avoid further embarrassment if others were to mistakenly assume they subscribed to such material."
According to Carnegie Mellon, each successful one-click billing scam nets, on average, about $1,000. But the practice is largely confined to Japan, where about 10 criminal gangs dominate the market.
Stamping out these types of malicious apps remains difficult, at least via purely automated means, such as the Google Play anti-malware scanning engine Bouncer, because many of the apps use browser links as part of the scam. "Because these apps only launch the browser to open certain sites, which request users to take additional steps to reach the final destination, it can almost be impossible for any system to confirm anything malicious about these apps," said Symantec's Hamada. "The manual steps required in this scam is another strategy used to keep the apps on the market as long as possible."
What might be done to stamp out these apps sooner? "Human analysis may be the only way to discover these sorts of apps," said Hamada, noting that Symantec has spotted over 100 "not just one-click" scam apps on Google Play since the beginning of July. As of Friday, 30 such apps -- published by three different developers -- were still available, although he said Symantec informed Google about the apps, and that Google typically excises malicious apps within 24 hours of being notified.
Google's approach to stamping out malicious apps differs from that of Apple, which uses a walled-garden model that only allows vetted apps to be installed on Apple's mobile devices. So far, that approach has managed to virtually eliminate malware from Apple's app store and iOS devices.
With the Android operating system, by contrast, Google has taken a more hands-off approach, largely relying on users to navigate the permissions requested by any app before they agree to install it, although Google does excise apps from Google Play if reports surface that they're malicious.
Still, Google has been making related information security improvements, such as adding Bouncer in 2011 to help spot and remove malicious apps from Google Play. In addition, with Android 4.2, released in November 2012, Google included a Verify Apps feature to warn users against installing apps that appeared to contain malicious code.
Coinciding with the release of Android 4.3 last week, furthermore, Verify Apps has now been rolled out via the Google Play Service app, which gets automatically installed on every device running Android version 2.3 or newer -- meaning, about 95% of all Android devices – that is configured to use Google Play.
Another security feature introduced in Android 4.3 is Security-Enhanced Linux (SELinux), which is a Linux feature designed to separate security policies from enforcement. The project grew out of similar efforts at the National Security Agency, and could help further crack down on malicious apps.
Finally, Android Police has detailed a hidden feature included in version 4.3 -- dubbed "App Ops" -- which allows users to selectively disable some permissions demanded by apps. The feature isn't yet ready for primetime, but it could be a powerful tool for helping users prevent not just malware but scamware from being successful.
Gen. Keith Alexander, commander of U.S. Cyber Command, will be keynote speaker at Black Hat USA 2013, the benchmark for all security conferences. Join us for four intense days of training and two jam-packed days of briefings. Register for Black Hat today. In Las Vegas, July 27-Aug. 1.