Various malware and riskware programs created for mobile platforms with premium rate SMS usage have been a huge problem for a very long time for users from countries like Russia, Ukraine or China. What about other countries?
And now it is time for ‘porn SMS senders’ targeting users at least from US, Malaysia, Netherlands, UK, Malaysia and Kenya whose mobile devices are equipped with Android or J2ME. We’ve discovered a number of application (not-a-virus:RiskTool.AndroidOS.SMSreg and not-a-virus:RiskTool.J2ME.SMSreg families) which send a number of expensive SMS messages in order to subscribe to various services. It is important to mention that all apps contain ‘Terms & Conditions’ with the description of a particular program and cost of the SMS message/subscription.
The first piece of riskware we’ve discovered targets users of Android smartphones from the Netherlands. An application named ‘nooit spijt’ (‘never regret’ in Dutch) sends three SMS messages costing 1,5 EUR each. Complaints on various forums say that this app is spread via advertisements in other applications.
Main windows of ‘nooit spijt’
If you tap on ‘Video’, ‘Foto’ or ’Muziek’ the application will show the following image.
If a user taps on this image the application will try to download another APK file (an application named ‘MelkBoerderij’ or ‘milk farm’ in Dutch) with absolutely the same functionality but with other more explicit images.
The URL inside the application looks like this http://m.****2u.com/content/Mfun/photo/NL/*/*/MelkBoerderij_adm_nl2503.apk. By modifying it we were able to find more APK files and some JAR files for the J2ME platform. These apps also were created for subscription implementation but pose as dating apps. The way these apps spread is still unclear, but it is obvious that each app is created for users from a particular country. E.g. a user from the US will see the menu where he can ‘find a girl’ from US cities.
A user from the UK will see almost the same menu but with different names and cities.
If a user chooses any option he will see a page with the information (likely fake) about a person.
‘Terms & Conditions’ can be found if a user chooses ‘Menu’.
Here is the list of all premium rate numbers which were used in the applications we’ve found:
The problem of reading EULAs (or rather not reading them) may lead to consequences like abnormally high phone bills due to careless usage of such applications. If a user doesn’t read such agreements carefully he might not even notice that the particular application sends expensive SMS messages.
And one more point: various activities connected with premium rate SMS messages (SMS Trojans, scam campaigns, riskware) are most widespread in Russia and China. But the appearance of several applications which use premium rate SMS messages and target users from completely different countries leads us to the conclusion that it’s no longer just a problem in Russia and China problem, unfortunately.
Thanks to my colleagues Roel Schouwenberg and Michael Molsner for their help.