During the summer of 2011, one-click fraud targeting smartphones was discovered. One-click fraud has now become so common that doing a quick search for certain keywords on the Internet using a smartphone leads to a high possibility of coming across one of the scam sites. The typical attack simply attempts to trick users into registering for a paid service. Details of the users and their phones are displayed on the page in an attempt to convince them that the site owners may take legal actions if the user does not pay them a certain amount of money. There were no malicious files involved. More details are available in this blog.
Now, in 2012, one-click fraud for smartphones has evolved and begun to use applications. File usage for the fraud is common on the Windows platform and has been used for years. When users attempt to view a video on a computer, they are asked to execute an HTML Application file (.hta) which causes annoying pop-up messages to appear on the desktop.
Now let's examine how apps are used to implement fraud on smartphones. Below is an example page of one of the scam sites. It looks like a typical adult website where users can watch videos.
Clicking on a video results in a page asking if the user is over 18 years old.
A download page will then be displayed where clicking the download button downloads the application onto the phone. The page also includes instructions on how to install the application.
Below are the permissions which are requested. It is unusually for an app meant to view videos to require start at boot, user location, and search of accounts, to name some of the requested permissions. These unusual permission requests should cause alarm bells to start ringing.
After installation, the app frequently opens the browser and displays a registration page with user details such as the customer ID, phone number, and account used on the device, in order to persuade the user into making a payment. It is nearly identical to the fraud approach used on Windows computers.
The fact that this type of fraud can determine a user’s phone number and email address is a frightening development for smartphone users. In the past this has not been possible. Who knows how many ways these personal details could be exploited for future scams?
If a user's device becomes compromised they can uninstall the application with the “Manage Applications” setting. Be mindful of follow-up scams however. It may be a good idea to configure your devices not to allow installation of non-approved applications (e.g. apps not distributed on the Market). Use of security software is also recommended. Symantec detects the malicious application as Android.Oneclickfraud.