Scammers involved in Japanese one-click fraud continuously come up with new tactics, meaning the scam continues to evolve. For example, earlier in the year scammers came up with the idea of locking smartphone browsers in an attempt to force users into dialing a support center set up by the fraudsters.
The latest tactic observed by Symantec involves the use of an Android app (Android.Oneclickfraud), which was actually used previously by one-click fraudsters but is now seeing a resurgence.
The very first app used for one-click fraud was originally found in the wild at the start of 2012, with a handful of variants appearing shortly after that. However, they were short-lived, possibly due to several arrests made by law enforcement agencies, and by the latter half of 2012 they were obsolete.
Traditional one-click fraud typically involves only clicks within the browser, but a recently discovered fraudulent adult video website attempts to trick users into installing an app as part of the scam. When a user attempts to view an adult video by clicking on the play button, the download of the APK file begins. As with any Android app, the user is required to manually install it and may be warned by the Android OS that the app could be harmful. The list of permissions required by the app, as shown during the installation process, is short and only includes permissions regarding privacy, which may make users feel more comfortable about installing it.
Figure 1. Website distributing the malicious app
Figure 2. Pop-up warning that the app may be harmful
Figure 3. Permission required by the app
Once the app has been installed and launched, a member’s page is displayed showing a selection of adult videos. After a while, the app displays details about a subscription that the user has apparently signed up to and must now pay for.
Figure 4. Payment details displayed by the app
Perhaps in an effort to make the payment process as easy as possible for their victims, the scammers in this case ask for payment card details as the form of payment. This is the first time we have observed this method of payment being used in this type of scam, as typically one-click fraud payments are carried out using bank transfers.
Figure 5. Scammers offer payment card option
The user is offered two subscription fees. If the user pays within three days, they are told the fee will be 99,000 Japanese yen (approximately US$800) but after this time the fee will be 300,000 (approximately $2,400). The sharp rise in price if the subscription isn’t paid within a short timeline is a common tactic used to rush the user into paying the fee quickly.
The distribution of the app appears to have begun in late May and in the first 24 hours after it appeared, we suspect it was downloaded over 500 times.
Symantec will closely monitor this new trend and confirm if the usage of the app continues.
Protection
Fortunately, if someone happens to fall for this trick and downloads the app, they can simply ignore the “subscription." No personal information is captured and the app can be easily uninstalled.
Users should refrain from downloading apps from unfamiliar sites and only install apps from trusted sources. Symantec also recommends installing a security app, such as Norton Mobile Security, in order to protect your device and data.
Symantec and Norton products detect the malicious app discussed in this blog as Android.Oneclickfraud.