In the past we’ve reported about one-click billing fraud schemes starting to target smartphone users. The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. The past attack we saw involved a website wherein target victims were asked to pay for a certain amount in order to prevent their information from being sent to an adult site.
We’ve found a similar scheme, but this time it specifically targets Android users through a malicious app.
The attack is triggered by a blog site that features videos showing gamers playing. The said blog, called “Game Dunga”, has changed its domain three times in the past. In the previous versions, there were a lot of links leading to the game-playing videos (not only adult content). The current one, however, (the third generation) includes links leading to only adult contents.
Trying to view any of the videos triggers a pop-up asking the user to download a malicious app detected as ANDROIDOS_FAKETIMER.A. ANDROIDOS_FAKETIMER.A gets the Android user account information, and sends them as to a certain URL as parameters for the following methods:
- getAccounts() method – to acquire Gmail account information managed by the affected users’ devices.
- getDeviceID() method – to acquire the SIM information of the affected devices
- getLine1Number() method – to acquire the mobile number of the affected devices.
The information gathered by these methods is sent to the cybercriminals.
ANDROIDOS_FAKETIMER.A also displays a pop-up window that shows the message “We haven’t received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.”
ANDROIDOS_FAKETIMER.A also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount.
App usage for this one-click billing fraud gives the scheme a level of persistence that was not evident before. In past schemes, the routines were mostly executed through a malicious website, and closing the browser would stop the attack. For this, however, since the one responsible for the routines is an app installed in the device, the prompts asking for the user to pay are shown repeatedly. We studied the code and found that the pop-up is set to show every 5 minutes.
Should users encounter a similar site, they are advised to leave the site immediately and not click any links to avoid getting victimized. Smart Protection Network already blocks the related URL via our Web Reputation technology and detects the malicious application.
For more information on other mobile threats, as well as tips on how to keep one’s device safe, please check our Mobile Threat Information Hub.