You may never have heard of one-click fraud, but it's likely you'll hear much more about it this year. That's because one-click fraudsters are targeting big-time players like Google...or, you might say, players on Google.
According to Symantec, one-click fraud is a scam that lures users interested in adult-related video to a site that attempts to trick them into registering for a paid service. For many years, it has been common to see this type of fraud on computers.
"As smartphone usage has increased, so has the number of these types of scams on smartphone devices," Joji Hamada of Symantec wrote in a blog post. "People typically come across these scam sites by searching for things that they are interested in or by clicking on links contained in spam messages. We also witnessed the advent of one-click fraud Android apps just over a year ago and those apps can now be found on Google Play."
Big Money Scam
Symantec is reporting that the apps can be found on Google Play through keyword searches in the same manner as an Internet search. For example, entering Japanese words related to pornographic video results in one of these apps being at the top of the search results at the time of writing.
Hamada explained that the apps typically only require the user to accept the "Network communication" permission, although some variants do not require the user to accept any permissions. This, Hamada said, is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off-guard when launching the app.
"The first variant of this type of app that we have seen appeared in late January, although it is possible that apps were released earlier than this. From then on, the apps were published by different developers each time and the number of apps steadily grew though many were removed from Google Play at one point for unconfirmed reasons," Hamada said.
"We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis. We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months. As far as victims go, we are not aware of how many of these users actually paid money to the scammers; the "service" costs about 99,000 yen (approximately U.S. $1,000). It certainly must be worth the time and effort for the scammers as they have continued doing business for over two months."
We asked Satnam Narang, a security response manager at Symantec, for his take on the scam. He told us the ultimate goal of the creators of these apps is to turn a profit off of unsuspecting Android users.
"So, users who fall victim to the scam end up losing money. No English-language apps were identified as part of this particular group of discovery; all targeted Japanese-language speakers," Narang said. "However, there is no reason to believe that this same scam could not be perpetrated with English-language apps."
Narang went on to say that these types of malicious apps can sometimes be hard to spot. In general, he noted, it's a good idea to avoid downloading apps from sources other than trusted app marketplaces. Likewise, it's a good idea to pay close attention to the permissions apps request.
"Another trick is to look at the reviews from other users who downloaded the apps," Narang said. "However, in the case of these malicious apps, these tactics aren't as effective. So in this case using security to detect and remove malicious apps is probably the No. 1 thing users should do."