Feeds

back to article Fake Angry Birds app makers fined £50k for shock cash suck

A firm that disguised Android malware as Angry Birds games has been fined £50,000 ($78,300) by UK premium-rate service regulator PhonepayPlus. A1 Agregator posted mobile apps posing as smash-hit games, including Cut the Rope, on Android marketplaces and other outlets. Rather than offer free entertainment, the software silently …

COMMENTS

This topic is closed for new posts.
FAIL

Premium-rate SMS

Are Premium-rate SMS used for anything except scamming? Surely we can find an alternative tech for the 1% of legitimate users and just do away with this 'service'.

I'd settle for an option on my OS to disable sending Premium-rate SMSs.

13
0
Unhappy

Re: Premium-rate SMS

The operators wouldn't have that. Remember that they make up to 50% on delivery or receipt of each PSMS.

Which goes some way towards explaining why scams like this aren't just nipped in the bud at network level.

3
1
Silver badge

Re: Premium-rate SMS

"Are Premium-rate SMS used for anything except scamming? "

Yes,

For a start, they're the mechanism by which operator billing works in app stores. e.g., You pay €2.00 for an app, the phone sends a €0.30 "purchase" message that requests a €1.70 "receipt" message, so in total, you're charged €2.00. Operator billing is the lowest-friction method of buying mobile apps, and you reach anyone with a phone service plan, not just the ones with credit-cards.

Premium SMS is also useful for broad-market geographical services. Want a cab/pizza/etc. quickly? text to XXXX and for €1.00, deductable from your final bill, we'll pass on your location (with your permission) to the very nearest driver/restaurant/etc..

Not using premium SMS would make a service like this vulnerable to timewasters, and also make it harder for the location service provider to collect their commision on the sale.

3
0
Silver badge

Re: Premium-rate SMS

In addition to the above, yes, premium-rate SMS is also used for donating to charity (I usually do Comic Relief and Children in Need via this way) and Vodafone has just launched http://www.justgiving.com/justtextgiving as a way of raising money as individuals via it. It removes the last barrier to charity donations (namely laziness) and is extremely effective.

Your second point is more valid, and the fact an app is able to text on your behalf with little warning is rather poor.

2
0
Thumb Up

Re: Premium-rate SMS

@Kristian Walsh +1 - Informative and resisted the urge to degenerate into an android vs ios slagfest ... all other commentards take note please.

1
1
Anonymous Coward

Re: Premium-rate SMS

Many operators now allow a more direct way of charging to your phone bill, with Premium SMS becoming a little archaic (it's inflexible, limited price points, you have to confirm receipt of the message, etc.). There are some who still offer it as a primary charging mechanism, but, as someone who has dealt with both mechanisms, I know I would rather that it was kicked in the teeth, and more emphasis was put on direct mechanisms (which are also easier to monitor).

0
0
Silver badge

Re: Premium-rate SMS

A great shame that I can't just write to my telco and say that I want to ban all calls to premium-rate numbers from my phone and that they are liable for any charges incurred by calls to such numbers. (Well, I know I can write, but I doubt if I could get the rest to stick in court as it stands.)

2
0
Silver badge
WTF?

Reprimanded?

What about jail time for fraud?

22
0
Silver badge

Re: Reprimanded?

Almost certainly they have obtained money by deception, IANAL, but surely this is a criminal offence?

7
0
Silver badge

Re: Reprimanded?

And probably various computer and telecommunications related offenses.

3
0
Silver badge

Re: Reprimanded?

What about lawyers employed by the real owners of "Angry Birds"? Can't they find a way to "encourage the others"?

1
0

>I'd settle for an option on my OS to disable sending Premium-rate SMSs.

...your telco will block access to premium rate services including SMSs on any handset....

0
1
FAIL

I've just phoned up Orange and they have confirmed that it is not possible for them to block Premium-rate SMS from being sent. They were able to block premium rate telephone calls but said there was nothing they could do about SMS. The support worker I spoke to said he had been there 13 years and had often heard this request and passed the complaint up the chain on many occasions.

1
0

Yet another very good reason not to be with Orange then.

Both ours do - Vodafone and T-Mobile....and as Orange operate in countries where they have to be able to block them by law, they can certainly do it when they have to...

.

1
0

O2 won't

O2 in the UK will NOT bar all premium SMS services to or from a user's number.

I know because I currently have £10 worth sitting on my bill that they won't even remove, claiming I must have asked for the messages to be sent. The girl even suggested my donation to sports relief was somehow a trigger for these messages being sent.

Vodafone on the other hand do let you bar them, and even say on their web forum that some messages are sent by scam companies who just pick numbers at random!

So it looks like Goodbye O2, Hello Vodafone.

0
0
Anonymous Coward

One more time -

READ THE REQUESTED PERMISSIONS

If it says it needs access to send sms messages don't install it unless there is a valid reason why the app would need that

14
3

Re: One more time -

Exactly this. On Android, it's made as clear as possible by headlining the section in the requested permissions list as "Things Which Cost You Money".

Seriously, I cannot see how this could be clearer.

7
2
Anonymous Coward

Re: One more time -

And the downvotes are for what exactly? You don't think the user should take some responsibility when they are given the information that would prevent this from happening?

5
1
Silver badge

Re: One more time -

Android's model is broken because once you install you have no second chance to modify the permissions. It's obvious some people do not read the permissions or do not understand the dangers of leaving them open. It's likely too that people trust Angry Birds / Cut the Rope not to use those services maliciously any way.

What Android desperately needs are trust zones. Apps that don't come preinstalled should be regarded as untrusted by default. Any time they perform an action which could cost a user money such as send an SMS or make a call, a popup should appear on the user's screen asking if they wish to grant that access. Users who don't like these popups can dig into their app settings and mark the app as trusted.

Android should also permit what the playbook does where you can revoke permissions of an app even after you have installed it.

In other words secure by default.

6
1
Silver badge

Re: One more time -

The downvotes are because a lot of Android apps ask for a litany of permissions, which are 'necessary' to use the game.

An example of this is the legitimate version of Angry Birds, the most popular mobile game, which (at least at some point) used to ask for SMS permissions:

http://www.androidcentral.com/rovio-explains-why-angry-birds-update-needs-sms-permission

Since the legitimate version of the game asks for similar permissions as the dodgy version of the game, can you understand why 'looking at the permissions' is not relevant - most users simply will accept whatever is put to them, as they have to accept them anyway for a lot of their apps.

8
2
Stop

Re: One more time -

"Android's model is broken because once you install you have no second chance to modify the permissions. It's obvious some people do not read the permissions or do not understand the dangers of leaving them open."

That doesn't mean that the model is broken ... it means that it doesn't operate the way you think it should and that people are ignoring the safeguards put in place. Nothing broken about it.

3
1
Silver badge

Re: One more time -

"That doesn't mean that the model is broken ... it means that it doesn't operate the way you think it should and that people are ignoring the safeguards put in place. Nothing broken about it."

It is broken if people are ignoring the warnings, and the system provides no further safeguards once an app is installed. You can't ignore human nature in this sort of thing.

It could be fixed in a manner such as I suggested. Cyanogenmod already features functionality to override services on a per app basis. It just needs to be implemented in the standard Android build so it can percolate out into all devices and become the default behaviour.

5
0
Anonymous Coward

Re: One more time -

Unless of course it bypasses the permissions and uses one of the Android exploits that haven't been patched by slow phone makers

http://web.ncsu.edu/abstract/technology/gingermaster/

http://web.ncsu.edu/abstract/updates/droidkungfu-evolves-again/

0
0

This post has been deleted by its author

Thumb Up

Re: @Tom 38

I have seen several games which I really wanted to play on Android, but have wanted the ability to send texts or make phone calls. I came up with a really innovative solution to this, and I have to say (not bragging or anything) that it so far has a 100% success rate:

I DIDN'T INSTALL THE FUCKING THINGS

17
0
Bronze badge
Megaphone

Re: One more time -

"That doesn't mean that the model is broken ... it means that it doesn't operate the way you think it should "

... and you just provided an explanaiton why exactly it's broken. It ignores the weakest link of any security system: humans.

0
0
Childcatcher

@DrXym

"It could be fixed in a manner such as I suggested. Cyanogenmod already features functionality to override services on a per app basis. It just needs to be implemented in the standard Android build so it can percolate out into all devices and become the default behaviour."

I totally agree that this *could* be done, but it would then potentially require a change to all apps to react to this, as you design with the assumption that you get what you have asked for as otherwise there's no install. As I said, it's a matter of opinion as to which way you want to go, but it's not an explicitly broken model. It offers controls, and some people don't pay them enough attention. A second layer of confirmation would then introduce annoyances for some while protecting others - it's going to be a matter of personal choice as to which you think is best and in this case they haven't gone with that.

A better solution would be to encourage people to care about the permissions more and, as someone said above, a big problem is permission bloat from lazy developers. I avoid apps with too many permissions, but I can understand that some users start to, as a result, treat permissions in the same way I treat most EULAs. Scrolly scrolly, accepty accepty. Read? Nah. Already have too many of those long things to read.

Unfortunately this is where Google fail massively IMHO. The dev documentation really doesn't stress the benefits of aiming for mimimum possible permissions, big publishers are pretty lax about their own requests so set a bad example, and the market (sorry, Play) doesn't enforce detailed per-description permissions to make devs think about what they're putting in. Google could influence all of these factors. I had a look at PhoneGap the other week and was appalled to see in their getting started guide they just suggest pasting in a massive list of permission requests to the Android manifest! That sort of rubbish really doesn't help keep the permission bloat low.

0
0
Anonymous Coward

ok, genuine question

Im not bashing Android or anything here, im an genuinely interested in knowing how and why this can happen, and id like anyone replying to follow suite if you wouldn't mind.

anyhow know why this can happen, or how?

Is this because there isn't much in the way of controls over what content is on the android marketplace? Are other market places susceptible to the same levels of malware and in the marketplace for any platform would they remove them as they found out about them.

I remember when I used android that is used to ask if it had permission to do anything , is that still the case or is this a case of people sideloading or using unofficial apps... If angry birds asked me to give it SMS access id be kinda curious as to why its needed, or is this people not reading the messages?

Im just curious because ive never noticed "fake" apps on my marketplace, does that mean there aren't any for this platform?

lots of questions I know, but it would be quite interesting to see the differences between the markets that can prevent or allow this kind of thing and what the trade off in return is...

1
2

Re: ok, genuine question

Anyone can put anything up, but it's unlikely it stayed up long.. apps tend to vanish fairly quickly if there are complaints (and bad reviews are always a big hint - never download anything with one or two stars..). The reason you've never seen them is probably because you've never been looking at the right moment - I've never come across any genuine malware either (adware.. tons of it, but every platform has that).

Not only do android apps list all the permissions they need, if that changes due to an upgrade the OS will refuse to update it until you've gone in and read the new permissions list.

And of course if you never use premium rate numbers (the majority of us, I'd expect) you can have then blocked anyway, giving no opportunity for mischief.

£27,850 profit, even assuming 100% profit is 5,570 SMSs.. that's not a huge number compared to the number of phones, users, etc. Still the system could have worked faster in this case... and why the company directors are not in jail for fraud I've no idea.

0
0
Thumb Down

Re: ok, genuine question

These problems are all side loaded apps, which have a big fat malware warning.

The tech press should be hanging their heads in shame for not highlighting that fact, and simply heading for the easy sensationalist scaremongering BS.

0
1
Holmes

"65 per cent of all threats are aimed at this platform"

... and the other 35%? Why, that would be Symbian, Symbian 3rd Ed, and Java ME, according to McAfee's Q1 2012 threat report.

0
0
WTF?

A1 Agregator

With as classy a company name as that they might as well be called "Dodgy Dave's Digital Deception Development and Distribution Ltd"

Why the heck are these guys not in prison? And will the makers of Angry Birds and Google hurry up and sue these guys arses off for trademark infringement , distributing pirated aps and terms of service breaches! I know some users may be too dumb to read ap permisions but still!

I wonder if A1 Agregator are one of these "Silicon Roundabout" firms? Na can't be, these guys actually made some money!

9
0
WTF?

Fined? Fined? FINED? How the hell isn't this a criminal offence with jail time?! It's fraud ffs!

Bloody legal system... rob a house, go to jail; steal 50 grand, get a fine; bankrupt millions of people, get a government bailout...

WTF is wrong with our laws.

14
2
Bronze badge

re: rob a house

you don't go to jail for that neither. At least - not always.

To go jail you would have to hack a facebook account. Oh the horror!

2
0
Bronze badge

Wondering

Verizon by default blocks Premium-rate SMS. If you send a text to one you get a text back from Vertizon Telling you it's block. You must call Verizon to remove this block. Why don't they do the same in the UK ?

1
0
Silver badge

Top tips

5 Safe-Phone Tips

Here are five precautions that you can take to keep mobile malware off your phone.

1. Be suspicious of messages that pop up on your phone and claim you need to update the device's software. When in doubt, call your wireless carrier and ask if you really need a patch or update.

2. Download mobile security protection. Lookout Mobile Security is a good free app; AVG Antivirus offers Anti-Virus Free and Norton has Norton Mobile Security. (See related: Protect Your Android Phone with Security Apps)

3. Pay close attention to the permissions that apps request. Google's Android Market breaks down exactly what each app wants to access on your phone. If a tic-tac-toe game wants to read your phone's contacts, for instance, be suspicious.

4. Read app reviews carefully, and consider the app's star rating and how many people have downloaded it. Be suspicious of third-party app stores that offer paid apps for free.

5. Watch for signs that your phone may be infected. If you see that your phone has sent text messages or email, or placed calls that you didn't initiate, your phone is probably compromised.

Courtesy of http://www.pcworld.com

1
0
Silver badge
Meh

Re: Top tips

All good advice, but excuse me while I guffaw at the idea a drone at the call centre of whichever mobile telco would have a clue about security patches for Android.

As for the permissions, as said above there are certain functions of a phone that should absolutely require explicit confirmation, not assumed in terms and conditions. I'm pretty sure Apple has been slammed for the same thing. There's nothing wrong with asking with a "never ask me again" option attached.

If I put "I'm going to royally rip you off" in a permission or T&C, doesn't make it allowed if you install it.

0
0
Trollface

Re: Top tips

...or, dare I say, buy an iPhone.

Oh, sorry, I forgot, choosing a malware-infested google-spyware loaded mobile OS is so much cleverer than being a stupid fanboi trapped in a virus-free walled garden.

Whoops! Dared to criticise Android. The downvote button is over there. Please form an orderly queue --------------->

5
5
Anonymous Coward

Re: Top tips

That was such a poor display of trolling, I can't even be bothered to downvote.

2
1
Bronze badge
Trollface

Re: Top tips

selecting such an exotic and unusual platform as Blackberry also seems to provide good protection. It does not catch PC viruses!

... oops, I forgot that line has been already tried in Apple adds!

0
0
Silver badge

Fined??

So were those responsible actually tracked down or was this 'fine' delivered in abscentia to a post box somewhere.

As other posters have said there should be prosecutions brought. I suspect the lack of them may be due to the culprits not being tracked down.

Now off to google to investigate my suppositions! Post first repent later.

0
0
Silver badge

Re: Fined??

Just checked - their site is on an .ru domain.

Chance of fine being paid = 0.

Of course ofcom would mention that as 'Russian malware maker given pretend fine' doesn't make the same headlines.

2
0
Joke

Obligatory meme based pun

In Russia, premium rate telephone lines call you!

2
0

LBE Privacy Guard ....

.....lets you manage what permissions an app can actually use regardless of what it says it needs and also block wifi or 2/3g access.

Only works on rooted devices though.

0
0
Anonymous Coward

Bwaaa haaa haaa

Steve Jobs would be laughing in his iGrave LMAO!!!!

0
1
Happy

Anyone else wonder if they might have got away with it for longer if they where called z9 agregator?

0
0
Bronze badge

"Android virus evolution" ??

And nothing which follows has anything to do with viruses.

0
0
FAIL

its theft simple as that

"A1 Agregator - which was "formally reprimanded" over its behaviour "

so they conned people , stole there money and they get a jolly good telling off , awesome

so what would happen if i stole £20,000 from someone , do you think id get a telling off and get fined ( i could pay the fine with the money i stole ) what a sweet deal .

its simple put the md of the company away for a couple of year , they would never do it agian

its just like the "expenses scandel" if i was to steal ( and lets be honest that what they were doing) from my employier (thats us by the way , each and every tax payer) i would be put in prision for it ( its call embezzlement), but if i was a mp i could just say sorry pay some of the money back and thet would be fine

the law is a arse

0
0
Bronze badge
FAIL

Death penalty

"Formally reprimanded"?! The company should have had its registration terminated, since it was acting fraudulently, with all the directors getting jail time for it. Instead, they haven't even been completely banned from operating exactly the same scam in future, let alone shut down!

I'd love to eliminate premium rate SMS entirely, but last time I looked into it I was just told flat out that it wasn't possible. Absurd: it should have been a prerequisite before the very first premium rate text could be sent or received by the public, not grudgingly tacked on as an afterthought over a decade later by the less feeble operators!

0
0
Anonymous Coward

Never fear! Help is near!

.

Premium-rate SMS scammers are about to launch their very own

swindle service --- PhoneyPayPlus!

0
0
This topic is closed for new posts.