Promises of easy money should be taken with a grain of salt – especially when they come with a request to download a mobile app.
Case in point is Bazuc, an application that was available earlier this month in the Google Play Store. It has since been taken down. But at one point, it may have been downloaded as many as 50,000 times, according to Lookout Mobile Security.
“Once you’ve downloaded the app, Bazuc can be used to send virtually untraceable SMS messages in bulk, which look like they came from your phone,” blogged Marc Rogers, a researcher with Lookout. “In fact, they did come from your phone. The authors of Bazuc are charging companies to have users send out these cheap SMS messages on their behalf, helping the companies bypass spam detection and automated anti-fraud systems. This operation is putting personally- identifiable information at risk, exposing targeted users to phone calls and SMSs from unknown people, and swindling operators out of money.”
On the surface, it doesn’t sound like a bad deal. Bazuc, Rogers explained, is actually a pair of applications: ‘Bazuc Earn Money’ and ‘Bazuc Free International SMS’. Bazuc Earn Money offers to pay $.001 per message, and tells the user they may earn as much as $30 a month. However to earn that $30, 30,000 messages would have to be sent.
With Bazuc Free International SMS, when a person tries to send a message to an international number, the app opens the default email, and puts the recipient’s phone number appended with @buzac.com in the ‘to’ field. Afterwards, the user is invited to type a message into the email.
“”Bazuc Free International SMS” remained non-functional for the duration of our testing, suggesting that it may be part of a cover for the dodgy SMS network,” Rogers continued. “By establishing a friendly cover like this, it makes users more comfortable with allowing their devices to be used.”
Lookout investigated the SMS network and found a number of players involved both wittingly and unwittingly – bulk messaging providers, phishers, spammers, banks and smartphone owners. Despite the app author’s claim that the app is used to offer free messaging to users, out of 200 messages Lookout analyzed, they only saw human-to-human messages three times. The majority of the messages appear to be machine-to-machine, with 40 percent being service or transaction alerts and 30 percent PIN code and password messages. Eight percent appear to be advertising spam.
“Although all the messages sent through our test devices were aimed at U.S. subscribers, few if any of the messages appeared to be U.S. in origin,” Rogers wrote. “Some of the identifiable countries of origin that we saw were Nigeria, Russia, Poland and Mexico.”
Several messages were identified to have come from well-known American and African banks. While at first glance the messages appear to be phishing messages, Lookout suspects they may be legitimate. The banks it seems signed up with the bulk SMS messaging network to send customer transaction information, Rogers explained.
“If that’s true, they aren’t alone,” he blogged. “During our examination of the network, we received PIN codes, chat invites, OTP or mobile TAN messages, psychic readings and even a wire transfer.”
“Bazuc is one more in the growing category of grey area threats which operate by finding loopholes in the mobile ecosystem,” he continued. “Rather than Bazuc breaking the Terms of Service, it’s the people who download Bazuc who are violating their operator’s Terms of Service and put themselves at risk of having their cellphone service terminated. It’s the users that are likely to pay the price when operators start to terminate mobile accounts or charge out of bundle rates on those messages. At an average price of $0.10c – $0.15 per out-of-bundle message, these users could be looking at a bill of $300 – $400 for messages. Compare that to the $3 Bazuc paid them.”
“The user is also likely to be left holding the baby when concerned bank customers come calling,” he added.