The security research team at PandaLabs recently discovered that there are four apps available for download on the Google Play store that trick users into subscribing to premium SMS services without even knowing.
The scam is relatively simple. When an app is installed on an Android device, it asks for a list of permissions to be able to function. Most people don’t even bat an eye at what permissions they are giving their apps, and that’s exactly what these scammers are relying on.
When given the correct permissions, these apps are able to pull a user’s phone number from Whatsapp (which is most likely installed) and use it to subscribe to a premium SMS service.
Usually, when you sign up to such a service you receive a text which requires you to confirm that you actually want to sign up and that it wasn’t a mistake. However, now that these malicious apps have certain permissions they are able to intercept that text, reply to it, and then delete it without the user knowing it ever existed.
A spokesperson from PandaLabs said, “I know that lots of people only ever give their bill a cursory glance or don’t even bother looking if it stays under a certain amount. I manage all the bills in our house after I discovered my missis had being paying insurance and tech support on a phone she hadn’t used for 5 years”
After some quick mathematics, PandaLabs estimated that these scams have generated as much as $6-24 million to date.
If you have an Android device, I strongly suggest that you re-assess the permissions you are providing to the apps you have installed.
These particular apps were found on the Spanish Google Play store, but there is nothing to suggest that they, or similar apps, can’t be found on other stores.
Smartphones in the workplace
As mobile phones become capable of completing just as many tasks as a PC or laptop can, workers are starting to use their own devices in the workplace; and this can cause problems.
A Bring Your Own Device (BYOD) Policy will help you better protect your organisations information and network by laying out effective rules and procedures for those who use their own devices.
A BYOD policy will also make people more security aware when on their smartphone, decreasing the chance of them downloading malicious apps similar to those mentioned above.