SEATTLE — Here is something the phone companies got right.
U.S. carriers have quietly instituted policies that largely protect American consumers from a teeming industry of cyberscammers who’ve perfected SMS premium texting scams.
This involves tricking victims into downloading a corrupted mobile app that causes an Android handset to begin placing premium text messages that can cost victims as much as $20 per text.
The scale of what these scammers have accomplished is astounding.
“Mobile malware is a global problem,” says Michael Callahan, a product marketing vice president at switch maker Juniper Networks. “It can be found and downloaded from users from any country.”
Mobile security company Lookout has traced the activities of 10 groups in Russia and Eastern Europe behind complex affiliate programs that match the efficiency of any multilevel marketing scheme you care to name.
These gangs have been in operation for at least three years and likely raked in millions of dollars.
SMS premium texting scams continue to run rampant in Europe and Asia, and earlier this year even seeped into Google Play and spread to some U.S. Android users.
“We notified Google and they promptly removed all apps and suspended the associated developer accounts,” says Kevin Mahaffey, Lookout’s chief technology officer.
However, U.S. consumers are less exposed than the Android users in Russia, Eastern Europe and China. That’s because U.S. carriers give consumers 60 days to complain about fraudulent phone charges.
“In Russia, there is nothing much you can do when you are a fraud victim, and therefore it is much more profitable to commit fraud,” says Andrew Conway, a researcher at messaging security firm Cloudmark.
Also, most Americans get their Android apps from Google Play, the search giant’s official application store, which Google aggressively polices. In parts of Europe and Asia, Android users are more likely to get their apps from third-party sources, which the open Android platform permits.
According to Lookout, here is how the bad guys have adopted multilevel marketing methodology to create a robust cottage industry:
First, the organizers invest in developing malware that can be easily hidden in popular apps distributed mainly via independent app stores.
Next, they set up full-blown online marketing campaigns offering cash and prizes to “affiliates” willing to use social media and online ads to steer victims to the tainted apps.
The affiliates get creative with social engineering ploys, often using scare tactics, such as tweeting bogus warnings to install urgent updates for Adobe Flash, Skype, Opera Browser and Google Play.
Once a phone gets infected and starts placing, and billing, SMS premium texts, everybody gets paid.
“Many campaigns don’t use scare tactics at all, but instead entice users with free versions of paid apps, pornography or mp3 downloads,” says Ryan Smith, a senior researcher at Lookout. “Each affiliate has the flexibility to choose a campaign tactic that works best for their target audience.”
Juniper’s Callahan, for one, won’t be surprised if premium texting scams resurface in the U.S.
“As the volume and sophistication of mobile malware continues to increase, so, too, does the likelihood that consumers and businesses will encounter these threats around the world,” he says.
Bottom line: Play it safe. Download only from the official app stores policed by Google, Apple, Microsoft and BlackBerry, respectively. Pay for and use a mobile antivirus program and keep it updated. And inquire about corporate policies and protection for personally owned devices used for work.
Retrieved from USA Today