Phone-Focused Cyber-Criminals Move to Premium Scams

Cyber-criminals have searched for ways of turning mobile phones into illicit cash, and they may have finally found one: toll fraud. Lookout has found that the bulk of criminals are moving to premium-service scams that charge users illegally for services.

While malicious software targeting mobile phones has surged, it's still a drop in the bucket compared with the horde of viruses, Trojan horses and rootkits that plague personal computers. For good reason: Mobile devices are typically of limited value to online criminals, who are driven by dollars.

Yet criminals in China, Russia and Eastern Europe have found a model that appears to work well: Using malware to charge for fraudulent premium services. Known as toll fraud, the technique has taken off, accounting for 79 percent of all malware detected by mobile security firm Lookout, the company stated in a report released Sept. 6. Fake installers are the primary method for infecting users and have likely brought in millions of dollars from victims in Eastern Europe and Russia, according to Lookout.

"Malware developers are following the money, and the money is in toll fraud," said Derek Halliday, the lead security product manager at Lookout. "It's really because it is the simplest way for the malware writer to steal funds from someone."

Premium services are normally used to allow people to get regularly delivered content, such as a daily horoscope, or vote on their favorite American Idol. Charges for the services are billed to the user's phone bill, and while it seems fairly simple, behind the scenes, there are enough complexities that it becomes difficult to identify the bad guys.

While it's a more difficult scam to pull off in the United States, toll fraud has made millions for cyber-criminals in other countries, the company said. While only 29 percent of malware detected in the third quarter of 2011 was classified as toll fraud, that number had climbed to 62 percent in the second quarter of this year. The trend, and the report in general, accounts for malware on Android phones, not on Apple's iOS devices. Because of Apple's relatively closed app store, its devices have been targeted by far fewer attackers.

The software ecosystem available to users, and users' own actions, make a big difference in whether they are at risk, the report found. In the United States, where users have a relatively well-managed app store in the Google Play marketplace, less than 1 percent of new Lookout users had malware on their devices. In China, Eastern Europe and Russia, however, 42 percent of users had malware already on their phone when they installed Lookout, Halliday stated.

"There is really a huge disparity globally when you look at the level of risk that some certain areas of the world are exposed to here," he said.

The rate varies from month to month, depending on whether there is a spike due to one very successful campaign.

In the United States, malicious Web links and aggressive advertising are far more common, Lookout found. Nearly four out of every 10 users will click on an unsafe link on a mobile device this year, and more than 5 percent of users will encounter an overly aggressive ad, the company said. In almost two-thirds of cases, an unsafe link will lead to a malicious site designed to infect the device. More than 20 percent of unsafe links attempt to phish the user for sensitive information, while 16 percent lead to compromised sites.

Aggressive ads access information without giving suitable warning, change browser and mobile device settings, and push other ads outside the original application. Personalization apps have the greatest incidence of aggressive advertisements, with 17 percent of free personalization applications having some form of aggressive advertisement. Free entertainment apps are the next most common offender, at 8 percent.

Lookout recommends that users set a passcode on their device, only use trusted sources for downloading and purchasing applications, double check any Web links on which they click, and use a security application.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...