back to article Fake Angry Birds app makers fined £50k for shock cash suck

A firm that disguised Android malware as Angry Birds games has been fined £50,000 ($78,300) by UK premium-rate service regulator PhonepayPlus. A1 Agregator posted mobile apps posing as smash-hit games, including Cut the Rope, on Android marketplaces and other outlets. Rather than offer free entertainment, the software silently …

COMMENTS

This topic is closed for new posts.
  1. Thomas 18
    FAIL

    Premium-rate SMS

    Are Premium-rate SMS used for anything except scamming? Surely we can find an alternative tech for the 1% of legitimate users and just do away with this 'service'.

    I'd settle for an option on my OS to disable sending Premium-rate SMSs.

    1. Hieronymus Howerd
      Unhappy

      Re: Premium-rate SMS

      The operators wouldn't have that. Remember that they make up to 50% on delivery or receipt of each PSMS.

      Which goes some way towards explaining why scams like this aren't just nipped in the bud at network level.

      1. Number6

        Re: Premium-rate SMS

        A great shame that I can't just write to my telco and say that I want to ban all calls to premium-rate numbers from my phone and that they are liable for any charges incurred by calls to such numbers. (Well, I know I can write, but I doubt if I could get the rest to stick in court as it stands.)

    2. Kristian Walsh Silver badge

      Re: Premium-rate SMS

      "Are Premium-rate SMS used for anything except scamming? "

      Yes,

      For a start, they're the mechanism by which operator billing works in app stores. e.g., You pay €2.00 for an app, the phone sends a €0.30 "purchase" message that requests a €1.70 "receipt" message, so in total, you're charged €2.00. Operator billing is the lowest-friction method of buying mobile apps, and you reach anyone with a phone service plan, not just the ones with credit-cards.

      Premium SMS is also useful for broad-market geographical services. Want a cab/pizza/etc. quickly? text to XXXX and for €1.00, deductable from your final bill, we'll pass on your location (with your permission) to the very nearest driver/restaurant/etc..

      Not using premium SMS would make a service like this vulnerable to timewasters, and also make it harder for the location service provider to collect their commision on the sale.

      1. Anonymous Coward
        Thumb Up

        Re: Premium-rate SMS

        @Kristian Walsh +1 - Informative and resisted the urge to degenerate into an android vs ios slagfest ... all other commentards take note please.

      2. Anonymous Coward
        Anonymous Coward

        Re: Premium-rate SMS

        Many operators now allow a more direct way of charging to your phone bill, with Premium SMS becoming a little archaic (it's inflexible, limited price points, you have to confirm receipt of the message, etc.). There are some who still offer it as a primary charging mechanism, but, as someone who has dealt with both mechanisms, I know I would rather that it was kicked in the teeth, and more emphasis was put on direct mechanisms (which are also easier to monitor).

    3. Annihilator

      Re: Premium-rate SMS

      In addition to the above, yes, premium-rate SMS is also used for donating to charity (I usually do Comic Relief and Children in Need via this way) and Vodafone has just launched http://www.justgiving.com/justtextgiving as a way of raising money as individuals via it. It removes the last barrier to charity donations (namely laziness) and is extremely effective.

      Your second point is more valid, and the fact an app is able to text on your behalf with little warning is rather poor.

  2. Phil O'Sophical Silver badge
    WTF?

    Reprimanded?

    What about jail time for fraud?

    1. Tom 38

      Re: Reprimanded?

      Almost certainly they have obtained money by deception, IANAL, but surely this is a criminal offence?

    2. DrXym

      Re: Reprimanded?

      And probably various computer and telecommunications related offenses.

    3. Nigel 11

      Re: Reprimanded?

      What about lawyers employed by the real owners of "Angry Birds"? Can't they find a way to "encourage the others"?

  3. Random Handle

    >I'd settle for an option on my OS to disable sending Premium-rate SMSs.

    ...your telco will block access to premium rate services including SMSs on any handset....

    1. Thomas 18
      FAIL

      I've just phoned up Orange and they have confirmed that it is not possible for them to block Premium-rate SMS from being sent. They were able to block premium rate telephone calls but said there was nothing they could do about SMS. The support worker I spoke to said he had been there 13 years and had often heard this request and passed the complaint up the chain on many occasions.

      1. Random Handle

        Yet another very good reason not to be with Orange then.

        Both ours do - Vodafone and T-Mobile....and as Orange operate in countries where they have to be able to block them by law, they can certainly do it when they have to...

        .

    2. Trevor Marron

      O2 won't

      O2 in the UK will NOT bar all premium SMS services to or from a user's number.

      I know because I currently have £10 worth sitting on my bill that they won't even remove, claiming I must have asked for the messages to be sent. The girl even suggested my donation to sports relief was somehow a trigger for these messages being sent.

      Vodafone on the other hand do let you bar them, and even say on their web forum that some messages are sent by scam companies who just pick numbers at random!

      So it looks like Goodbye O2, Hello Vodafone.

  4. Anonymous Coward
    Anonymous Coward

    One more time -

    READ THE REQUESTED PERMISSIONS

    If it says it needs access to send sms messages don't install it unless there is a valid reason why the app would need that

    1. Rameses Niblick the Third (KKWWMT)

      Re: One more time -

      Exactly this. On Android, it's made as clear as possible by headlining the section in the requested permissions list as "Things Which Cost You Money".

      Seriously, I cannot see how this could be clearer.

    2. Anonymous Coward
      Anonymous Coward

      Re: One more time -

      And the downvotes are for what exactly? You don't think the user should take some responsibility when they are given the information that would prevent this from happening?

      1. Tom 38

        Re: One more time -

        The downvotes are because a lot of Android apps ask for a litany of permissions, which are 'necessary' to use the game.

        An example of this is the legitimate version of Angry Birds, the most popular mobile game, which (at least at some point) used to ask for SMS permissions:

        http://www.androidcentral.com/rovio-explains-why-angry-birds-update-needs-sms-permission

        Since the legitimate version of the game asks for similar permissions as the dodgy version of the game, can you understand why 'looking at the permissions' is not relevant - most users simply will accept whatever is put to them, as they have to accept them anyway for a lot of their apps.

        1. This post has been deleted by its author

        2. Rameses Niblick the Third (KKWWMT)
          Thumb Up

          Re: @Tom 38

          I have seen several games which I really wanted to play on Android, but have wanted the ability to send texts or make phone calls. I came up with a really innovative solution to this, and I have to say (not bragging or anything) that it so far has a 100% success rate:

          I DIDN'T INSTALL THE FUCKING THINGS

    3. DrXym

      Re: One more time -

      Android's model is broken because once you install you have no second chance to modify the permissions. It's obvious some people do not read the permissions or do not understand the dangers of leaving them open. It's likely too that people trust Angry Birds / Cut the Rope not to use those services maliciously any way.

      What Android desperately needs are trust zones. Apps that don't come preinstalled should be regarded as untrusted by default. Any time they perform an action which could cost a user money such as send an SMS or make a call, a popup should appear on the user's screen asking if they wish to grant that access. Users who don't like these popups can dig into their app settings and mark the app as trusted.

      Android should also permit what the playbook does where you can revoke permissions of an app even after you have installed it.

      In other words secure by default.

      1. Anonymous Coward
        Stop

        Re: One more time -

        "Android's model is broken because once you install you have no second chance to modify the permissions. It's obvious some people do not read the permissions or do not understand the dangers of leaving them open."

        That doesn't mean that the model is broken ... it means that it doesn't operate the way you think it should and that people are ignoring the safeguards put in place. Nothing broken about it.

        1. DrXym

          Re: One more time -

          "That doesn't mean that the model is broken ... it means that it doesn't operate the way you think it should and that people are ignoring the safeguards put in place. Nothing broken about it."

          It is broken if people are ignoring the warnings, and the system provides no further safeguards once an app is installed. You can't ignore human nature in this sort of thing.

          It could be fixed in a manner such as I suggested. Cyanogenmod already features functionality to override services on a per app basis. It just needs to be implemented in the standard Android build so it can percolate out into all devices and become the default behaviour.

          1. Anonymous Coward
            Childcatcher

            @DrXym

            "It could be fixed in a manner such as I suggested. Cyanogenmod already features functionality to override services on a per app basis. It just needs to be implemented in the standard Android build so it can percolate out into all devices and become the default behaviour."

            I totally agree that this *could* be done, but it would then potentially require a change to all apps to react to this, as you design with the assumption that you get what you have asked for as otherwise there's no install. As I said, it's a matter of opinion as to which way you want to go, but it's not an explicitly broken model. It offers controls, and some people don't pay them enough attention. A second layer of confirmation would then introduce annoyances for some while protecting others - it's going to be a matter of personal choice as to which you think is best and in this case they haven't gone with that.

            A better solution would be to encourage people to care about the permissions more and, as someone said above, a big problem is permission bloat from lazy developers. I avoid apps with too many permissions, but I can understand that some users start to, as a result, treat permissions in the same way I treat most EULAs. Scrolly scrolly, accepty accepty. Read? Nah. Already have too many of those long things to read.

            Unfortunately this is where Google fail massively IMHO. The dev documentation really doesn't stress the benefits of aiming for mimimum possible permissions, big publishers are pretty lax about their own requests so set a bad example, and the market (sorry, Play) doesn't enforce detailed per-description permissions to make devs think about what they're putting in. Google could influence all of these factors. I had a look at PhoneGap the other week and was appalled to see in their getting started guide they just suggest pasting in a massive list of permission requests to the Android manifest! That sort of rubbish really doesn't help keep the permission bloat low.

        2. Bronek Kozicki
          Megaphone

          Re: One more time -

          "That doesn't mean that the model is broken ... it means that it doesn't operate the way you think it should "

          ... and you just provided an explanaiton why exactly it's broken. It ignores the weakest link of any security system: humans.

    4. Anonymous Coward
      Anonymous Coward

      Re: One more time -

      Unless of course it bypasses the permissions and uses one of the Android exploits that haven't been patched by slow phone makers

      http://web.ncsu.edu/abstract/technology/gingermaster/

      http://web.ncsu.edu/abstract/updates/droidkungfu-evolves-again/

  5. Anonymous Coward
    Anonymous Coward

    ok, genuine question

    Im not bashing Android or anything here, im an genuinely interested in knowing how and why this can happen, and id like anyone replying to follow suite if you wouldn't mind.

    anyhow know why this can happen, or how?

    Is this because there isn't much in the way of controls over what content is on the android marketplace? Are other market places susceptible to the same levels of malware and in the marketplace for any platform would they remove them as they found out about them.

    I remember when I used android that is used to ask if it had permission to do anything , is that still the case or is this a case of people sideloading or using unofficial apps... If angry birds asked me to give it SMS access id be kinda curious as to why its needed, or is this people not reading the messages?

    Im just curious because ive never noticed "fake" apps on my marketplace, does that mean there aren't any for this platform?

    lots of questions I know, but it would be quite interesting to see the differences between the markets that can prevent or allow this kind of thing and what the trade off in return is...

    1. TonyHoyle

      Re: ok, genuine question

      Anyone can put anything up, but it's unlikely it stayed up long.. apps tend to vanish fairly quickly if there are complaints (and bad reviews are always a big hint - never download anything with one or two stars..). The reason you've never seen them is probably because you've never been looking at the right moment - I've never come across any genuine malware either (adware.. tons of it, but every platform has that).

      Not only do android apps list all the permissions they need, if that changes due to an upgrade the OS will refuse to update it until you've gone in and read the new permissions list.

      And of course if you never use premium rate numbers (the majority of us, I'd expect) you can have then blocked anyway, giving no opportunity for mischief.

      £27,850 profit, even assuming 100% profit is 5,570 SMSs.. that's not a huge number compared to the number of phones, users, etc. Still the system could have worked faster in this case... and why the company directors are not in jail for fraud I've no idea.

    2. Anonymous Coward
      Thumb Down

      Re: ok, genuine question

      These problems are all side loaded apps, which have a big fat malware warning.

      The tech press should be hanging their heads in shame for not highlighting that fact, and simply heading for the easy sensationalist scaremongering BS.

  6. ArkhamNative
    Holmes

    "65 per cent of all threats are aimed at this platform"

    ... and the other 35%? Why, that would be Symbian, Symbian 3rd Ed, and Java ME, according to McAfee's Q1 2012 threat report.

  7. LinkOfHyrule
    WTF?

    A1 Agregator

    With as classy a company name as that they might as well be called "Dodgy Dave's Digital Deception Development and Distribution Ltd"

    Why the heck are these guys not in prison? And will the makers of Angry Birds and Google hurry up and sue these guys arses off for trademark infringement , distributing pirated aps and terms of service breaches! I know some users may be too dumb to read ap permisions but still!

    I wonder if A1 Agregator are one of these "Silicon Roundabout" firms? Na can't be, these guys actually made some money!

  8. tkioz
    WTF?

    Fined? Fined? FINED? How the hell isn't this a criminal offence with jail time?! It's fraud ffs!

    Bloody legal system... rob a house, go to jail; steal 50 grand, get a fine; bankrupt millions of people, get a government bailout...

    WTF is wrong with our laws.

    1. Bronek Kozicki

      re: rob a house

      you don't go to jail for that neither. At least - not always.

      To go jail you would have to hack a facebook account. Oh the horror!

  9. kain preacher

    Wondering

    Verizon by default blocks Premium-rate SMS. If you send a text to one you get a text back from Vertizon Telling you it's block. You must call Verizon to remove this block. Why don't they do the same in the UK ?

  10. ukgnome

    Top tips

    5 Safe-Phone Tips

    Here are five precautions that you can take to keep mobile malware off your phone.

    1. Be suspicious of messages that pop up on your phone and claim you need to update the device's software. When in doubt, call your wireless carrier and ask if you really need a patch or update.

    2. Download mobile security protection. Lookout Mobile Security is a good free app; AVG Antivirus offers Anti-Virus Free and Norton has Norton Mobile Security. (See related: Protect Your Android Phone with Security Apps)

    3. Pay close attention to the permissions that apps request. Google's Android Market breaks down exactly what each app wants to access on your phone. If a tic-tac-toe game wants to read your phone's contacts, for instance, be suspicious.

    4. Read app reviews carefully, and consider the app's star rating and how many people have downloaded it. Be suspicious of third-party app stores that offer paid apps for free.

    5. Watch for signs that your phone may be infected. If you see that your phone has sent text messages or email, or placed calls that you didn't initiate, your phone is probably compromised.

    Courtesy of http://www.pcworld.com

    1. Annihilator
      Meh

      Re: Top tips

      All good advice, but excuse me while I guffaw at the idea a drone at the call centre of whichever mobile telco would have a clue about security patches for Android.

      As for the permissions, as said above there are certain functions of a phone that should absolutely require explicit confirmation, not assumed in terms and conditions. I'm pretty sure Apple has been slammed for the same thing. There's nothing wrong with asking with a "never ask me again" option attached.

      If I put "I'm going to royally rip you off" in a permission or T&C, doesn't make it allowed if you install it.

    2. Anonymous Coward
      Trollface

      Re: Top tips

      ...or, dare I say, buy an iPhone.

      Oh, sorry, I forgot, choosing a malware-infested google-spyware loaded mobile OS is so much cleverer than being a stupid fanboi trapped in a virus-free walled garden.

      Whoops! Dared to criticise Android. The downvote button is over there. Please form an orderly queue --------------->

      1. Anonymous Coward
        Anonymous Coward

        Re: Top tips

        That was such a poor display of trolling, I can't even be bothered to downvote.

      2. Bronek Kozicki
        Trollface

        Re: Top tips

        selecting such an exotic and unusual platform as Blackberry also seems to provide good protection. It does not catch PC viruses!

        ... oops, I forgot that line has been already tried in Apple adds!

  11. Gordon 10

    Fined??

    So were those responsible actually tracked down or was this 'fine' delivered in abscentia to a post box somewhere.

    As other posters have said there should be prosecutions brought. I suspect the lack of them may be due to the culprits not being tracked down.

    Now off to google to investigate my suppositions! Post first repent later.

    1. Gordon 10

      Re: Fined??

      Just checked - their site is on an .ru domain.

      Chance of fine being paid = 0.

      Of course ofcom would mention that as 'Russian malware maker given pretend fine' doesn't make the same headlines.

      1. LinkOfHyrule
        Joke

        Obligatory meme based pun

        In Russia, premium rate telephone lines call you!

  12. fredfox

    LBE Privacy Guard ....

    .....lets you manage what permissions an app can actually use regardless of what it says it needs and also block wifi or 2/3g access.

    Only works on rooted devices though.

  13. Anonymous Coward
    Anonymous Coward

    Bwaaa haaa haaa

    Steve Jobs would be laughing in his iGrave LMAO!!!!

  14. jbuk1
    Happy

    Anyone else wonder if they might have got away with it for longer if they where called z9 agregator?

  15. silent_count

    "Android virus evolution" ??

    And nothing which follows has anything to do with viruses.

  16. dont care what ever
    FAIL

    its theft simple as that

    "A1 Agregator - which was "formally reprimanded" over its behaviour "

    so they conned people , stole there money and they get a jolly good telling off , awesome

    so what would happen if i stole £20,000 from someone , do you think id get a telling off and get fined ( i could pay the fine with the money i stole ) what a sweet deal .

    its simple put the md of the company away for a couple of year , they would never do it agian

    its just like the "expenses scandel" if i was to steal ( and lets be honest that what they were doing) from my employier (thats us by the way , each and every tax payer) i would be put in prision for it ( its call embezzlement), but if i was a mp i could just say sorry pay some of the money back and thet would be fine

    the law is a arse

  17. James 100
    FAIL

    Death penalty

    "Formally reprimanded"?! The company should have had its registration terminated, since it was acting fraudulently, with all the directors getting jail time for it. Instead, they haven't even been completely banned from operating exactly the same scam in future, let alone shut down!

    I'd love to eliminate premium rate SMS entirely, but last time I looked into it I was just told flat out that it wasn't possible. Absurd: it should have been a prerequisite before the very first premium rate text could be sent or received by the public, not grudgingly tacked on as an afterthought over a decade later by the less feeble operators!

  18. Anonymous Coward
    Anonymous Coward

    Never fear! Help is near!

    .

    Premium-rate SMS scammers are about to launch their very own

    swindle service --- PhoneyPayPlus!

This topic is closed for new posts.

Other stories you might like