UK Regulator swiftly resolves Android malware infection

The following text from UK regulator, PhonePayPlus illustrates:

1) The huge, huge problem with Android’s wild west marketplace

2) The potential scale that Android malware can achieve in a short amount of time

3) The reality that consumers using Android need to seriously keep their wits about them

I have been pretty direct with my opinions (mostly negative) on what I feel has been a rather lukewarm approach from PhonePayPlus in the past. I’m pleased to see firm action from them.

Here’s the overview:

A malware attack targeted at 18 countries that cost unsuspecting users £15 every time they tried to open a ‘free’ app has been cut off by PhonepayPlus, the UK’s premium rate telephone services regulator.

Sanctions imposed by the regulator’s Tribunal will see all money returned to UK consumers on top of a £50,000 fine imposed on the provider of the premium rate shortcodes that enabled the apps to fraudulently charge smartphone users.

Fake apps of popular brands including Angry Birds, Assassins Creed and Cut the Rope were posted to Android app stores. These fake apps were advertised as free but contained malicious coding (malware) that charged the phone’s account £15 every time the app was opened (usually charged through three £5 premium rate texts). The malware suppressed the sent and received text messages that notify users they have been charged. It was only when consumers received their bill that they were alerted to the fraudulent charges.

This malware attack was dubbed RuFraud by security experts and approximately 14,000 downloads of the malicious apps were made worldwide. The RuFraud attack affected 1,391 mobile numbers in the UK and £27,850 was taken before the shortcode was suspended. Due to PhonepayPlus’ and industry’s swift action in identifying the malware, ensuring that the shortcode was suspended and that the money was held and not passed on to the fraudulent app developers, none of this £27,850 of UK consumers’ money reached the fraudsters.

PhonepayPlus investigated and took action against the provider, A1 Agregator Limited, who had control of, and responsibility for, the premium rate payment system which enabled the malware to fraudulently charge consumers’ mobile phone accounts. A1 Agregator Limited was issued a fine of £50,000, ordered to make refunds directly to ALL consumers within three months, whether or not they had complained and directed to seek prior permission for a year from PhonepayPlus to run any premium rate service in the UK.

Patrick Guthrie, PhonepayPlus’ Director of Strategy and Communications said:
“We will continue to clamp down on those who wish to take advantage of UK smartphone customers. We are very pleased that the tribunal ordered that everyone affected will get their money back and that a strong fine was imposed. The digital economy is vital to the UK’s future and we will continue to take action to maintain the confidence of the public.”

PhonepayPlus recently held the first UK mobile malware summit and works closely with the police, mobile networks and antivirus companies to combat the threat to UK consumers from premium rate malware.

By Ewan

Ewan is Founder and Editor of Mobile Industry Review. He writes about a wide variety of industry issues and is usually active on Twitter most days. You can read more about him or reach him with these details.

4 replies on “UK Regulator swiftly resolves Android malware infection”

Unfortunately PhonepayPlus did not help to prevent this happening. It was only spotted after consumer complaints and up to £50,000 damage had already been caused. The company were also not correctly registered with the regulator at the time so there have been massive failures all-round. 

This is likely to be the tip of the iceberg as PhonepayPlus does not want to regulate directly on this as they would rather pocket the fine revenue at the moment. PhonepayPlus could mandate that prior permission is needed for all Mobile applications that have MT billing. This was (eventually) mandated for diallers but not until massive consumer harm had been caused.

Slightly off topic, but why own earth did they rename ICSTIS “PhonepayPlus”? ICSTIS sounds like a regulator, PhonepayPlus sound like some mPayments offering.

I may feel confident wading through the Android store should I decide to get one but, my Dad has got the touch screen bug after suffering along with a Wildfire for while and I adamant that if must be a touch screen and he does not want a Nokia then it really has to be an iPhone. I’m sorry but I just don’t feel that Google care enough right now

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.