×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Majority of Mobile Malware Now Reliant On Toll Fraud

timothy posted about a year and a half ago | from the reverse-the-charges-operator dept.

Crime 39

CowboyRobot writes "Spyware is no longer the primary concern with unwanted software on mobile devices. According to mobile security firm Lookout, most mobile malware performs 'toll fraud' — billing victims using premium SMS services. The problem is very geographically-dependent, worst in areas with weak SMS regulation, particularly China, Ukraine, and Russia, where users are 10,000 times more likely to have malware on their phones than users in Japan, for example. Other risks include mobile ads surreptitiously uploading personal data, as well as apps that download other malware without users knowing. The full report is available."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

39 comments

Slashdot rss feed broken (-1)

Anonymous Coward | about a year and a half ago | (#41285947)

stuck at "It's Easy To Steal Identities (Of Corporations)"

Re:Slashdot rss feed broken (4, Funny)

Anonymous Coward | about a year and a half ago | (#41285997)

stuck at "It's Easy To Steal Identities (Of Corporations)"

try lifting the lid and blowing on it, then jiggle the cable... and if that doesn't work, give it a few good knocks on the side

Re:Slashdot rss feed broken (0)

Anonymous Coward | about a year and a half ago | (#41286031)

I dunno - he should try turning it of and on again first

Re:Slashdot rss feed broken (0)

Anonymous Coward | about a year and a half ago | (#41286091)

is it even plugged in?

But... (5, Funny)

Anonymous Coward | about a year and a half ago | (#41285987)

But... But... You cant have regulations, you have to let the Free Market....

Thank god i live in a socialist hellhole where when this crap started to spring up it got massively stomped on by regulating the crap out of it.

Re:But... (4, Interesting)

dinfinity (2300094) | about a year and a half ago | (#41286027)

Looking at Europe, policies indeed seem to influence matters significantly: https://www.mylookout.com/_gfx/page-images/state-mobile-security/likelihood-heat-map.jpg [mylookout.com]

I'm not sure whether France and Norway are particularly lax in their SMS regulation, but it could be.

Re:But... (-1)

Anonymous Coward | about a year and a half ago | (#41286029)

But... But... You cant have regulations, you have to let the Free Market....

What communist nonsense. I am sure you smoke cannabis as well as it lowers your IQ.

You may be shocked to learn that North Korea is a socialist paradise. Please, you are invited to live there. Don't wait.

Re:But... (0)

Anonymous Coward | about a year and a half ago | (#41286193)

No, its actually dictatorship.

Re:But... (2, Informative)

Anonymous Coward | about a year and a half ago | (#41286345)

The Netherlands is in comparison pretty socialist, and it has a below average infection of malware, and you can smoke pot legally, and it has an above average IQ of 102!

(source for last statement: http://www.sq.4mg.com/NationIQ.htm [4mg.com] )

Woo!

Fraud (1)

roman_mir (125474) | about a year and a half ago | (#41286307)

Fraud is not a legal practice in case of Free Market, however there is no actual problem here that cannot be solved by the Free Market - only get apps from reputable sources.

Free Market has its own regulations. If you fail, you fail, there is no government bail out. If you don't care about the risk you take, you can get burned, so you are not checking whether the source of your app or source of your food or your bank has good reputation, you are taking a risk.

Now saying that these people get burned in unregulated markets, first of all, those markets are monopolies. Russia, Ukraine and other former Soviet republics do not have Free Market, they have mafias running their governments, people's rights are NOT protected.

If you think Russia and Urkaine, etc., are examples of Free Market, then you have completely misunderstood the principles of Freedom.

The Pussy Riot case just happened, just a few weeks ago, you think Russia has a Free Market?

Why do we even need a system for premium rate SMS? (5, Insightful)

PSVMOrnot (885854) | about a year and a half ago | (#41286067)

Seriously, why do we even need a system which lets people charge arbitrary ammounts via SMS? It's insecure, ripe for abuse and open to fraud. I don't think I have ever seen it used for a beneficial purpose, except perhaps for charity donations which could just as easily be done via another system.

So, why not just shut the thing down? Or, heck just limit it to registered charities; it's not like anyone else uses it but those who prey on the weak (rip off custom ringtone companies, horoscope peddlers and malware)

Re:Why do we even need a system for premium rate S (1)

Anonymous Coward | about a year and a half ago | (#41286231)

Well telco's make money off it, so if you want it shut down you'll have to lobby against them.

Re:Why do we even need a system for premium rate S (3, Insightful)

windviewer (1196719) | about a year and a half ago | (#41286297)

It would be reasonable to expect a means by which the consumer could opt out of premium SMS services (all of them) similar to having call blocks for long distance, 900 calls, etc. on your home phone. Even better, the default would off, and you would have to UNBLOCK the ability by contacting your telco. Alas, this would never be provided voluntarily by a telco without regulation...

Re:Why do we even need a system for premium rate S (3, Interesting)

berashith (222128) | about a year and a half ago | (#41286619)

you would think this is a reasonable request. My wife had a twenty dollar charge on a tmobile account, and they said that she had used "premium" network services. She had to pay that time, and went through every formal protest that she could just to record that it wasnt her and we would not pay twice. All of the texting plans outside of pure data ( g-chat, g-voice, email , etc) had already been disabled. 2 months later it happened again.We had to fight tooth and nail to get them to remove the charge, and then they ended up forgetting the promise to undo the charge and said it was our responsibility to have the charges removed by the vendor... completely ignoring the fact that as no service was purchased, there was no vendor to speak with. They also tried to say that anyone with the phone's email address could place charges to the number , and the tmobile would just pass through the charges. We knew this was obvious bullshit, and got the guy to bac down on that one. Hours later they finally realised that this is their issue, and that they were about to lose customers, so they gave the cash back " within 90 days".

Re:Why do we even need a system for premium rate S (2)

TheLink (130905) | about a year and a half ago | (#41288735)

They eventually gave you your cash back, but how many people would do what you did and fight them for the money?

It's just a way of stealing lots of money from very many people. The telcos get a cut, so their bosses don't care.

If you stole even 20 bucks from someone, they call the cops on you and you'd be in trouble, but the Telcos and their partners get away with stealing from thousands and thousands of people.

Re:Why do we even need a system for premium rate S (1)

berashith (222128) | about a year and a half ago | (#41290061)

well... they backed out on the promise once, and failed to fix the issue to prevent it again. Now they have promised to reduce a bill in 60-90 days. So, as of yet, they are just pushing us around hoping we give up. I will only say they gave it back when we see it.

Re:Why do we even need a system for premium rate S (1)

windviewer (1196719) | about a year and a half ago | (#41286811)

I just checked and Bell Mobility (Canada) provides an Anti-SPAM service for your mobile phone that lets you block specific numbers in addition to other features. You only have to PAY $5 a month to save yourself from SPAM. You have to enter the number to block (I think this is backwards; you probably want to LIST the numbers you allow, and BLOCK all others; how do I know what all the SPAM phone numbers are in advance until I get one).

Re:Why do we even need a system for premium rate S (1)

iateyourcookies (1522473) | about a year and a half ago | (#41286485)

FWIW It's a very useful alternative to parking meters... You text the premium number (cost is the same as a normal ticket) and the system replies with a code. That means the actual ticket machine doesn't need payment processing, and you don't need to carry change around.

Re:Why do we even need a system for premium rate S (2, Informative)

Anonymous Coward | about a year and a half ago | (#41286495)

Actually I use it for quite a few things.

-) Paying parking fees. You just send a text with the amount if time you want to book and you can extend it without going to your car too. Getting the parking fee coupons on paper is a major PITA, you can only buy them in

-) Paying for the washing mashine at my student dorm.

You can also:

-) Buy tickets for public transport.

So it is quite usefull and I have not heard of any abuse using malware in my country. It only works for national numbers and therefore any fraud could be quickly prosecuted.

Re:Why do we even need a system for premium rate S (3, Interesting)

xaxa (988988) | about a year and a half ago | (#41286925)

It has some uses (see other replies), and it's OK if you have strong regulation of the service providers.

Example here [phonepayplus.org.uk], which was news here last week:

A malware attack targeted at 18 countries that cost unsuspecting users £15 every time they tried to open a ‘free’ app has been cut off by PhonepayPlus, the UK’s premium rate telephone services regulator. Sanctions imposed by the regulator’s Tribunal will see all money returned to UK consumers on top of a £50,000 fine imposed on the provider of the premium rate shortcodes that enabled the apps to fraudulently charge smartphone users.

none of this £27,850 of UK consumers’ money reached the fraudsters.

(The apps were "free" versions of popular apps, downloaded from alternative app stores -- not the Google one -- or websites.)

Re:Why do we even need a system for premium rate S (1)

dkf (304284) | about a year and a half ago | (#41291865)

It has some uses (see other replies), and it's OK if you have strong regulation of the service providers.

The UK has such strong regulation of this area precisely because of abuse of the capability in the past; there was a spate of premium charges for various tricky things a number of years back (in the '90s IIRC) and so action was taken to stop fraudsters from getting the money. The core of the regulation is a mandatory delay (minimum 1 month?) between when the charge appears on the customer's bill and when the money reaches the owner of the premium service, which gives time for abuse to show up and be stomped on by the authorities, with restitution made as appropriate. Because it's hard to cash out with a fraudulent service, the UK isn't an attractive place for those wanting to do this sort of thing. The fact that it also stops this sort of thing is just a side-benefit.

The down-side is that legitimate providers have to eat their costs for a while before they get the income arising from their service offering...

Re:Why do we even need a system for premium rate S (1)

thegarbz (1787294) | about a year and a half ago | (#41297389)

The issue is that this is an old service which well predates micro-payments. As such it has quite a large install base, just not anything useful you use on a day to day basis. I remember travelling through Europe for several months and it was a basic transaction form there. The best use was paying for public transport when you're already on the public transport. No need to queue at a machine and buy a ticket, just hope on the train and send a SMS. Paying for parking, and buying permits for some places we visited was another application.

The problem is there's no clear replacement yet that ubiquitous. Mobile based payment systems are an emerging trend, Paypal is painfully slow and understandably many people want nothing to do with that company, and most of all this is a system which works for everyone with a phone. Not a smartphone with the latest and greatest NFC, not some fancy modern phone capable of running a specific payment app, not a web browers, but any old piece of crap junk phone.

Security wise where I live I have the service disabled. I can't send premium SMSes from my phone, oh and I live in a country which has a consumer watchdog with some actual balls too so we don't have some of the weird exchanges with telcos you see in other replies.

photos (1)

Nesa2 (1142511) | about a year and a half ago | (#41286181)

New wave of pictures, including unsuspecting smart phone user's private parts, flooding internet in 3,2,1..

Simples - don't! (1)

samjam (256347) | about a year and a half ago | (#41286233)

Don't install apps that require internet access or permission to make phone calls or send texts.

Sadly this user abuse by apps is a form of idiot tax on users who don't or won't understand how to manage their own safety.

Re:Simples - don't! (0)

Karlt1 (231423) | about a year and a half ago | (#41286863)

"Don't install apps that require internet access"

And in that case most of my apps are completely useless.

"or permission to make phone calls or send texts."

You do notice that this is a problem with only Android?

"on users who don't or won't understand how to manage their own safety."

Why should I have to "manage my safety" on a cell phone?

Wouldn't it be better if third party apps just generally weren't allowed to send SMS messages and make phone calls?

Re:Simples - don't! (0)

Anonymous Coward | about a year and a half ago | (#41287975)

"on users who don't or won't understand how to manage their own safety."

Why should I have to "manage my safety" on a cell phone?

I've been told many times here on /. that it is a general purpose computer in a phone form-factor, and that my desktop is soon to be an obsolete waste of space and electricity, but I find the concept of over-reliance on smartphones stupid for this very reason. You want cellphone - you buy a cellphone, you want a computer in your pocket - you buy a tablet.

Wouldn't it be better if third party apps just generally weren't allowed to send SMS messages and make phone calls?

Well, no, they're not _generally_ allowed. This is special permissions application has to ask for and there are valid use-cases for ability to call and send SMS. When a random app asks for these permissions it's damn suspicious and should probably be highlighted better in the store, but cutting it off completely would be throwing baby out with the bathwater.

Re:Simples - don't! (1)

alostpacket (1972110) | about a year and a half ago | (#41288235)

You're right, almost all apps require internet access but not letting apps make phone calls or send texts is just the walled garden approach.

Wouldn't it be better if third party apps just generally weren't allowed to send SMS messages and make phone calls?

No. That would mean no alternative texting apps, or special dialers like T9 stuff. Additionally, the "Send SMS" permission is one of the most strongly worded by Google (one they actually explained well). It's even under the category of "Services that cost you money"

Anyways, personally I don't think it's fair to blame the OS for what is clearly a rip-off by the carriers. The problem here is that people don't know that SMS can cost them money or that the carriers are happily complicit in the process.

Only prepaid SIM cards for me... (5, Interesting)

Anonymous Coward | about a year and a half ago | (#41286239)

I'm working as a programmer since nearly 20 years and I just love technology. I use Linux as a desktop since the early days of Slackware, back when it took quite a leap of faith.

My cellphone? An iPhone... With a prepaid SIM card!

That way I'm sure that: a) I'll spend way less than any "plan" (master plan one could say ; ) any operator could come up with and b) no malware / premium SMS service / crazy app/site eating my 3G bandwith can never "eat" more than the data limit available on my prepaid card.

Re:Only prepaid SIM cards for me... (1)

tlhIngan (30335) | about a year and a half ago | (#41288747)

My cellphone? An iPhone... With a prepaid SIM card!

That way I'm sure that: a) I'll spend way less than any "plan" (master plan one could say ; ) any operator could come up with and b) no malware / premium SMS service / crazy app/site eating my 3G bandwith can never "eat" more than the data limit available on my prepaid card.

Technically, malware like that on iPhone won't get very far because of Apple restrictions.

First, an app can only send an SMS surreptitiously if it uses its own SMS network (kinda defeats the purpose of using the customer's SMS and phone bill). Otherwise it'll have to bring up the Messages app with the SMS pre-filled in and the user MUST click send on their own. There's no ability to send an SMS without the user knowing.

Likewise, all phone calls route to the standard dialer (and Apple doesn't allow alternative dialers unless they're VoIP or run on their own network separate from the user's).

The only thing malware can ding you for is 3G data doing these things, but that sort of payment only goes to the carrier, not so much a third party.

So your prepaid method generally works much better on Android where you don't have such OS restrictions and walled gardens to deal with.

Root cause (0, Offtopic)

geekmux (1040042) | about a year and a half ago | (#41286271)

Phone malware is reliant upon toll fraud?

No, not really. Phone malware is reliant upon users who think they need to carry around their lives in the plam of their hands. It's also reliant on the greed of vendors who think that every single "phone" in the universe needs to have at least 4,027 features to compete with every other vendor, (oh, and also so they can try and charge you for 4,026 of them.)

Go figure what happens when you increase your attack vector to the size of a commercial airline runway. Maybe we can stop calling these personal tracking superdevices "phones" now, because the only thing my old-fashioned phone could ever get "infected" with is rust.

Youtube (-1, Offtopic)

puddingebola (2036796) | about a year and a half ago | (#41286397)

Searched for SMS toll fraud on Youtube and found far more shocking and disturbing videos of New Yorkers and New Jerseyites running toll plazas on state highways. Let's get our priorities straight on this website and start addressing issues that have real consequence please.

Thats a relief! (1)

antifoidulus (807088) | about a year and a half ago | (#41286615)

For a moment there I thought my mom was running a Russian Bride ring and trying to sell me one.... It's probably just malware...at least thats what I tell myself anyway.

Off by a factor of 10. (2)

Dean Edmonds (189342) | about a year and a half ago | (#41287617)

The report says that devices in Japan have a 0.04% chance of being infected. If China and Russia are "10,000 times more likely" to be infected then that would give them infection rates of 400%, which seems unlikely.

In fact the report states that the rate for Russia is 41.6% making it "only" about 1,000 times more likely than Japan.

Re:Off by a factor of 10. (0)

Anonymous Coward | about a year and a half ago | (#41288843)

What's an order of magnitude between friends?

Re:Off by a factor of 10. (0)

Anonymous Coward | about a year and a half ago | (#41291609)

Math is hard.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...