One-click fraud migrates to mobile apps

One-click fraud involves users attempting to access content on adult websites, primarily in Japan. When users attempt to view a video on a computer, they are asked to execute an HTML application file (.hta), which causes annoying pop-up messages to appear on the desktop asking for payment to register for the website, explained Symantec researcher Joji Hamada in a recent blog. Since users do not know how to disable the pop-ups, they often end up paying the registration fee to make the pop-ups stop; sometimes that works, sometimes it doesn’t.

The new wrinkle to the one-click fraud story is that now mobile applications are being used. One-click fraudsters “have moved away from dependency on webpages to now using applications. This is an expected development, but it is surprising to see how quickly they are moving”, said Vikram Thakur, principal security response manager at Symantec.

The user who visits an adult website is instructed to download an app in order to view videos. The website then asks for unusual permissions in downloading the app, such as starting system tools at boot, user location, and search of accounts.

After installation, the app frequently opens the browser and displays a registration page with user details such as the customer ID, phone number, and account used on the device in order to persuade the user to make a payment.

“The apps are not vetted by any security vendor or downloaded over any popular marketplace. They are total scamware; they ask for permissions to get onto your phone. If you install the app, they are able to launch the browser every five minutes and redirect you anywhere of their choosing”, Thakur told Infosecurity.

“This is troubling for a number of reasons. First, they are on your phone and able to see your instant messaging, your incoming phone calls, some of the data on your phone, and are able to launch your browser and redirect you to websites of their choosing. These are usually websites where users are instructed to register and pay for the applications, which are quite expensive”, he explained.

Thakur cautioned mobile phone users to be wary of the permissions being requested by applications. “A video player doesn’t need to have access to your phone calls and text messages. Look at the permissions when you are installing an application. It could be just as simple as that” to avoid these scams.

What’s Hot on Infosecurity Magazine?