Panda Security has identified malicious apps on Google Play that can sign users up to premium SMS subscription services without their permission. These new threats have been able to infect at least 300,000 users so far, although the number of malicious downloads could have reached 1,200,000.
“Easy Hairdos”, “Abs Diets”, “Workout Routines” and “Cupcake Recipes” are among the malicious apps available for download on Google Play.
In the case of “Abs Diets”, for example, once the app has been installed and the user has accepted the terms and conditions of use of the service, the following happens: Firstly, the app displays a series of tips to reduce abdominal fat. Secondly, and without the user’s knowledge, the app looks for the phone number of the mobile device, connects to a Web page and signs the victim up to a premium SMS subscription service.
However, how do fraudsters obtain the phone number of the device? The number is “stolen’ from one of the world’s most popular apps: WhatsApp. As soon as the user opens WhatsApp, the malicious app will get the phone number and save it as part of the data it needs to synchronize the account.
According to data from Google Play, this app has been downloaded by between 50,000 and 100,000 users. The other apps work in exactly the same way, so it is safe to say that the four malicious apps may have infected between 300,000 and 1,200,000 users in total.
“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, £20 paid by each user would result in a huge sum of 6 to 24 million pound stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.
Regardless of the security solution installed on their devices, users must always read the list of permissions requested by apps before installing them. If an app requires permissions to access the Internet or read SMS messages when there is no need for it, it should not be installed.