Researchers at Symantec say one-click fraud scams targeting users on Google Play have added some new steps to their dance with Google Android users.
“Because of the success the scammers appear to be having, it seems a new player has come along to try their luck on the market,” Symantec researcher Joji Hamada blogged. “The new scam is a variation on the typical one-click fraud we see in Japan.”
“The new type not only requires clicks, but it also requires users to send an email in order to register to become a member of a service, call a given phone number to acquire a password, and enter the password to log into the fraudulent site,” he continued. “That’s quite a bit of work to get through just to be scammed. Once the user successfully logs into the site, they are charged an annual fee of 315,000 yen, which is equivalent to approximately US$3,150, for watching online adult videos without any obvious prior warning of the fee.”
During the past seven months, one-click scammers have published more than 1,200 suspicious applications on the Google Play app store, according to Hamada. Most were taken down the same day they were published, while others were able to persist undetected for a few days.
In one instance, users who download and opened a particular app caused the browser to open an adult video site. If the user tries to play a video, they are required to register to become a member. Afterwards, the site returns an email with a link. Clicking on that takes the user to yet another service on a different site, Hamada explained.
“This time when a video is selected, the user is asked to enter a password to log in,” he wrote. “Clicking on ‘confirm password’ prepares the phone to make a call to a pre-determined number.”
“When the call is made to this number, an automated message tells the user the password,” he continued. “After logging into the site with the given password, a page appears on the browser informing the user of the registration details as well as notifying them of a whopping 315,000 yen annual fee due in three days.”
There is a hidden link to an end user licensing agreement on the page where the password is entered. The link is in the sentence that states that only adults were allowed to use the site, and is “very faint” compared to other text on the page, Hamada wrote.
“Because these apps only launch the browser to open certain sites, which request users to take additional steps to reach the final destination, it can almost be impossible for any system to confirm anything malicious about these apps,” he added. “The manual steps required in this scam is another strategy used to keep the apps on the market as long as possible.”