Back in February, a SophosLabs researcher Vanja Svajcer discussed how he had discovered a malicious link on Facebook that led to malware being downloaded onto his Android smartphone.
Svajcer analysed the malware, adding detection for it as Andr/Opfake-C, and discovered that while posing as a conduit to popular games, it was coded to send an SMS message which subscribed the phone to an expensive premium rate service.
He even made a very short video of the malware automatically downloading to his Android phone.[youtube=http://www.youtube.com/watch?v=JPlJrB652w8&r=0&w=500&h=311]
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
Normally, the story stops there. We find malware, we stop malware. The end.
But this time, there’s more to report.
Spurred by Naked Security’s report of the malware, and complaints from the public, PhonepayPlus – the regulatory body for all premium rate phone-paid services in the United Kingdom – investigated who was hiding behind the phone numbers.
PhonepayPlus also confirmed the app’s behaviour:
The Service, which was accessed via downloading an app (the "App"), enabled users to access popular games. Before installation of the App, consumers were presented with a screen titled "Downloader" (Appendix A). On selecting "install" the consumer was presented with a screen which stated, "Do you agree with the rules of downloading" and had two buttons, one marked “OK” and a second marked "Rules" (Appendix B).
Where a consumer selected "OK", a text message was sent to shortcode 80079, which prompted the Service to charge the user £10 by automatically sending a message from shortcode 79555 to the handset. Where a consumer selected "Rules", s/he was presented with eight pages of terms and conditions (Appendix C). Pricing information for UK users was located on the sixth page.
Consumers were given the opportunity to select buttons marked "Agree" or "Disagree". Where "Agree" was selected, a text message was sent to shortcode 80079, which prompted the Service to charge the user £10 by automatically sending a message from shortcode 79555 to the handset. The Executive took the view that consumers were not notified in advance of the charges.
After being charged, the consumer was redirected to the 7mobi.net "GamePortal", where s/he could play popular games.
PhonepayPlus discovered that the premium rate numbers used by the malware belonged to Moscow-based firm ООО Коннекст (translated as Connect Ltd trading as SMSBill), and adjudicated that the company had made “very serious” breaches of the PhonepayPlus Code of Practice.
For one thing, the app’s small print (hidden away on the 6th page of the terms and conditions) claimed that charges of “about 5 GBP” were applicable. And yet, the true charge was £10.
Anyone who did go to the effort of reading the T&Cs would not only be told that the fee was less than it actually was, but would also be assured that they would be notified before incurring any charges (they weren’t).
PhonepayPlus said that the service provided by the Android app “had the sole purpose of generating high revenue and did so through recklessly misleading promotion and design.”
Connect Ltd was also criticised for appearing “to have no regard to the Code and/or Guidance”, and failure to co-operate with the investigation in a prompt or adequate manner.
In total, consumers are said to have spent some £100,000 – £250,000 on the service, although it is unclear how much revenue Connect Ltd themselves made.
PhonepayPlus has ordered Connect Ltd to pay a fine of £50,000 and refund – within three months – all consumers who used the service, whether or not they have claimed a refund.
Additionally, for the next two years Connect Ltd will have to receive prior permission from PhonepayPlus for any premium rate services it attempts to offer in the UK.
Some might wonder if Moscow-based Connect Ltd might be tempted to ignore the penalties imposed on it from the UK, but PhonepayPlus spokesman James McLarin was bullish.
McLarin told Naked Security that PhonepayPlus expects the fines to be paid and that the refund will take place:
"If our sanctions are not met we do have the power to bring a breach of sanction case, where the tribunal can impose tough penalties."
The sending of expensive SMS messages is one of the most common ways in which smartphone malware attempts to earn revenue from its victims.
Always be careful about what apps you install, and – in the case of Android apps – be sure to check that you are happy with the permissions the app requests at installation.
If you haven’t already done so, you may consider installing Sophos’s free anti-virus for Android to detect Opfake-C and other Android malware.
Phone with money image from Shutterstock.