Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    In the past we’ve reported about one-click billing fraud schemes starting to target smartphone users. The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. The past attack we saw involved a website wherein target victims were asked to pay for a certain amount in order to prevent their information from being sent to an adult site.

    We’ve found a similar scheme, but this time it specifically targets Android users through a malicious app.

    The attack is triggered by a blog site that features videos showing gamers playing. The said blog, called “Game Dunga”, has changed its domain three times in the past. In the previous versions, there were a lot of links leading to the game-playing videos (not only adult content). The current one, however, (the third generation) includes links leading to only adult contents.

    Trying to view any of the videos triggers a pop-up asking the user to download a malicious app detected as ANDROIDOS_FAKETIMER.A. ANDROIDOS_FAKETIMER.A gets the Android user account information, and sends them as to a certain URL as parameters for the following methods:

    • getAccounts() method – to acquire Gmail account information managed by the affected users’ devices.
    • getDeviceID() method – to acquire the SIM information of the affected devices
    • getLine1Number() method – to acquire the mobile number of the affected devices.

    The information gathered by these methods is sent to the cybercriminals.

    ANDROIDOS_FAKETIMER.A also displays a pop-up window that shows the message “We haven’t received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.”

    ANDROIDOS_FAKETIMER.A also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount.

    App usage for this one-click billing fraud gives the scheme a level of persistence that was not evident before. In past schemes, the routines were mostly executed through a malicious website, and closing the browser would stop the attack. For this, however, since the one responsible for the routines is an app installed in the device, the prompts asking for the user to pay are shown repeatedly. We studied the code and found that the pop-up is set to show every 5 minutes.

    Should users encounter a similar site, they are advised to leave the site immediately and not click any links to avoid getting victimized. Smart Protection Network already blocks the related URL via our Web Reputation technology and detects the malicious application.

    For more information on other mobile threats, as well as tips on how to keep one’s device safe, please check our Mobile Threat Information Hub.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Pingback: Philippines news: Android users in crosshairs of one-click billing fraud | Pinas.Net()

    • Pingback: Android users in crosshairs of one-click billing fraud()

    • Mike

      It is unfortunately not even very simple. Even if a credit card is used, which is not necessarily the case, as some of the registrars will take other forms of electronic payment the link between the scammer and the credit card maybe quite hard to follow as they probably bought the details on the black market and have no connection to the original hack. It could be easier to follow the payment from the victim, but as the scammers can use 100% online banks to receive the payment, which allows them to provide fake details for the registration of that account. They can then launder the money electronically around the world, or pay different online group to do that for them.

      The jail sentences are as you say, quite short for this kind of offense in Japan. I recommend you read this paper by Christin et. al. at Carnegie Melon University as it will give you a good understanding of one-click fraud.

      I assure that the Japanese Police are doing as much as is possible to catch these guys.

    • Pingback: 惡意Android應用程式:看成人影片不付費,威脅公布個資 | 雲端防毒是趨勢()

    • Hirohito

      Again, this is SO VERY SIMPLE to solve (okay, not ‘perfectly’ simple) but, no matter WHAT domain they hide behind, IF the ISP is allowing the domain to host malicious apps, SOMEBODY USED A *CREDIT CARD* TO *** PAY *** FOR THE DOMAIN!

      New laws are needed *NOW*, to force expedited information disclosure to law enforcement in cases like this!

      Either way, CIA, FBI, etc. CAN FIND OUT ** WHO *** PAID FOR THE DOMAIN(S)!

      It really IS that simple. And, if the registrars are NOT verifying information on their subscribers who are paying for these malicious hosting areas, then the ISPs need to be sued and/or put out of business.

      Granted, Mr. HACKER might have stolen the credit card of “Mary Jones” (innocent victim) and he is using her credit card, but still – FOLLOW THE *** MONEY *** and it will lead you to the criminals!

      And, when you DO find them, they need LOOOONNNNNGG JAIL SENTENCES!


    • Pingback: Reversing Malware with Android Reverse Engineering (A.R.E.) | SecTechno()


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice