Hidden ToS in legitimate-looking apps tricked users into signing up for expensive text messaging services
Google has removed 22 malicious apps from its Android Market that were tricking users into signing up for expensive text messaging services.
The apps were discovered by Lookout Mobile Security, who claimed that the malicious apps first appeared as horoscope apps. They contained what Lookout called "fairly hidden" terms of service (ToS), and a single "Continue" button, which was taken as confirmation that the user had agreed to the ToS.
Users were then signed up to expensive text message services, which the BBC claimed could cost up to £3 per message sent and received. The malicious apps were part of the RuFraud scam, Lookout said.
A second wave of malicious applications then appeared, which were disguised to look like more popular, legitimate apps, such as Angry Birds and wallpaper apps.
The attacks have affected users across Europe, Lookout said.
Sophos’ Vanja Svajcer said Google should have reacted quicker to what is become a big problem for Android devices.
"Misusing premium SMS services is the most common model for malicious mobile malware. When a malicious app is installed, it starts sending or receiving messages, which makes the installation very expensive for the user. The damage is often seen only when it is too late, once a monthly bill is received," he wrote.
"Google’s reaction has been quick, but not quick enough – at least ten thousand users downloaded one of the malicious apps from the list," he added. "We have already stated several times that the requirements for becoming an Android developer that can publish apps to the Android market are far too relaxed. The cost of becoming a developer and being banned by Google is much lower than the money that can be earned by publishing malicious apps."
Unlike Apple’s App Store, entries to the Android Market are not vetted before they go live, meaning users must be much more aware of what they are downloading and ensure they read the ToS fully.
Lookout Mobile Security recently said malware aimed at Android devices is on the rise, and that cybercriminals may have stolen more than $1m from Android users via these text messaging scams.