Android Malware sending premium SMS short codes

[davidm_uk]

A month or two ago, my 12 year old son installed two seemingly innocent-looking applications on his Android phone (from the Android Market). They appeared to be fun HTC applications to show dice throwing and coin flips. (I believe they were called HTC Dice and HTC Coin Flip, and even claimed to be published by HTC.) Although he didn't notice at the time (unfortunately), they requested permissions including "Send and receive SMS" and "Edit SMS log".

A few days later, I happened to check my son's Orange account online. I was amazed to see

 

[Hadron]

Hi David,

Unfortunately malware that does this does exist. It's usually a threat with apps downloaded from non-market sources, but there have been a few that got into the Play Store. They are generally taken down quickly, and I can't find these apps there, so you may just have been unlucky.

The apps claiming to come from HTC is a warning in itself - HTC generally don't distribute their stuff via the market.

It may help you in arguing with Orange to know that this stuff exists - tell them to google "android malware premium sms" and they'll find it!

Good luck, and thanks for the warning.

 

[davidm_uk]

Thanks, Hadron - that's useful advice.

 

[chanchan05]

Well, the apps in question don't exist in my Android Play Store, so maybe he got the from the HTC section? have you checked the app descriptions?

 

[chanchan05]

@Hadron - doesn't HTC have a market section for HTC only? Like Sony does? Thus it has a distribution venue through the market.

 

[EarlyMon]

I had the HTC Coin Flip some time back, could only get it thru the HTC Hub. It didn't have permission to send SMS back when I had it.

 

[Hadron]

@chanchan05: it doesn't show on my HTC, or via browser when not logged in. Though as I removed Sense 2 years ago any HTC stuff wouldn't work on my Desire. I knew they had a way of downloading HTC widgets, but thought it was via some other route.

 

[davidm_uk]

When I did a Google search for the apps earlier, I think I found a reference to getting them through an HTC app - so what Hadron says about them not generally being available on the Play Store makes sense. I think there must have been rogue versions on Play briefly, and my son must just have been unlucky to install them when he did. I would have hoped that Google would have had notified us when finding them to be malware, however.

 

[chanchan05]

When Google finds them out as Malware, from what I know they do a remote uninstall. You'd just find them missing from your phone. At least that's how I remember they do stuff.

 

[davidm_uk]

Interestingly, this story describes almost exactly what happened to me (except that the malicious apps used were different):
BBC - Newsbeat - Firm fined over Angry Birds and Cut The Rope scam

"Instead they received three SMS messages costing

 

[davidm_uk]

Orange continue to investigate this issue for me, which is very kind of them. Unfortunately, they are repeatedly being told that the user (my son) must have these text messages. I was told today that "there is no way that an application could send SMS messages without your son knowing". I mentioned the highly-rated "Where's my Droid" app which does exactly this for good purposes, but was told that we'd "just have to differ" on this. I am currently waiting for a manager to call back.

 

[davidm_uk]

Proof that Orange are talking nonsense and I'm not going mad is in the descriptions of application permissions on the Play Store:

send SMS messages
Allows the app to send SMS messages. Malicious apps may cost you money by sending messages without your confirmation.

receive SMS
Allows the app to receive and process SMS messages. Malicious apps may monitor your messages or delete them without showing them to you.