Video Screencast Help
Symantec Connect login will not be available from 7am-1pm PT, Saturday April 12th, estimated. During that time, you will not be able to log in or engage in any activity on the site such as posting, commenting, or voting. You can still view and search content. Sorry for the inconvenience.

Busy August for One-Click Fraud Scammers on Google Play

Created: 09 Sep 2013 23:57:03 GMT • Updated: 23 Jan 2014 18:04:18 GMT • Translations available: 日本語
Joji Hamada's picture
+1 1 Vote
Login to vote

For many of us around the globe, August may be a month to take a bit of a break from work and go on a summer holiday. In contrast, August appears to the busiest month of the year for the scammers developing Japanese one-click fraud apps. They have increased productivity to publish close to 1,000 fraudulent apps on Google Play during August. As a result, they have succeeded in tricking Android device owners into downloading the apps at least 8,500 times, according to statistic shown on the Google Play app pages. The actual figure is likely much higher and probably exceeds well over 10,000 downloads.
 

Figure1_0.png

Figure 1. Daily publication count for August
 

The number of one-click fraud apps published from the beginning of the year to the end of August now totals approximately 2,500, and the scammers show no signs of slowing down. As usual, most of the apps in August only survived one night before they were removed from the store by the following morning. Although it appears that one night is enough for the scammers to score numerous downloads. The scammers routinely publish apps every single afternoon, perhaps as they end their working day in the office. The chance of app survival increases when they are published over the weekend and some are lucky enough to live for several days allowing time for hundreds of downloads.
 

Figure2_0.png

Figure 2. Apps published monthly
 

As in previous months, August saw several new types of one-click fraud apps appear. They tend to use different tactics, but these new variants have not been very successful, eventually disappearing quite quickly. Interestingly, the same group of scammers publishes 97 percent of the apps.
 

Figure3.png

Figure 3. Variants published in August
 

One of the newest variants has had some success in staying alive on Google Play, though the number of downloads remain limited. These apps include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service. The fee to watch adult videos on these sites is typically around US$1,000, which is extremely expensive compared to the average cost of a legitimate service. By mixing the malicious links among other legitimate links, the apps attempt to stay hidden from security checks. The bad links also lead to a redirector URL that then directs the apps to open whatever sites the redirector is configured with. This allows scammers to easily modify where the apps ultimately lead to on the server side if they are under suspicion of being involved in any malicious activity.

The app works in the following way:

  1. Once the app is installed, the user is presented with several links to adult-related video sites.
  2. Some of the links lead to fraudulent sites. The user then chooses a video from one of these sites.
  3. The user attempts to play video.
  4. The user is asked to pay a fee.

OneClickGIF.gif

Figure 4. Fraudulent app
 

While app stores allow users to easily search for and download apps, there is always a risk of getting fooled into download illegitimate apps. Users should only install apps they are certain they can trust. Symantec also recommends using Norton Mobile Security to help stay protected. The apps discussed in this blog are detected by Symantec products as Android.Oneclickfraud.