Looking for more information on mobile threats like RuFraud? Check out Lookout’s Top Threats resource.
Update: Since this post was first published on December 11th, Lookout detected 5 additional RuFraud apps in the Market. As of December 13th, 27 applications have been found to contain instances of RuFraud. See below for the full list of apps.
There has been a rash of premium SMS toll fraud apps in the last few months that have primarily targeted users in Europe. These apps have often purported to be downloaders for well-known third party software (often freely available software such as Opera Mobile), and have primarily been found on file sharing sites and alternative markets.
Just this week there have been several waves of a new threat, RuFraud, posted to the official Android Market. The initial batch appeared as horoscope apps with a fairly hidden ToS indicating charges. The initial application activity presents the user with a single option to continue, which is presumed to be an agreement to premium charges that are buried within layers of less than clear links. The Premium Short Codes used could affect users in Russia, Azerbaijan, Armenia, Georgia, Czech Republic, Poland, Kazakhstan, Belarus, Latvia, Kyrgyzstan, Tajikistan, Ukraine, Estonia as well as Great Britain, Italy, Israel, France, and Germany. North American users were not affected as the fraudulent SMS code is gated on the user’s country (as indicated by their SIM).
In the last week we have notified Google of 9 identical applications that were skinned to appear more appealing to potential users: three wallpaper apps for popular movies (including Twilight), and three apps purporting to be downloaders for popular games such as Angry Birds and Cut the Rope. Google responded quickly to our reports and pulled these apps from the Android Market. At the time of removal these applications had only been downloaded by a handful of users, and the severity of the threat was still very low.
Overnight, the fraudsters have posted 13 new supposed downloaders to the Android Market, once again positioned as free versions of popular games. It appears that these apps may have reached a broader audience while published to the market: we estimate upwards of 14,000 downloads of these apps. Google responded to reports from Lookout and others by pulling these apps from the Market. We’ve deployed an over-the-air update that protects Lookout users from all known instances of RuFraud.
The full list of applications (with package name) that have been found to contain instances of RuFraud (sorted by developer) include:
- Horoscope (horoscope.android)
- Horoscope (com.corazon.horoscope)
- Horoscope (com.corelly.horoscope)
- Twilight (com.Twilight.wallpapers)
- Puss in Boots (com.Puss.Boots.wallpapers)
- Moneyball (com.Moneyball.wallpapers)
- Sim City Deluxe FREE (com.astrolog.sim.city.deluxe.free)
- Need for Speed Shift FREE (com.astrolog.need.forspeed.shift.free)
- Great Little War Game FREE (com.astrolog.great.little.war.game.free)
- Cut the Rope (com.Cut.the.Rope)
- Angry Birds (com.Angry.Birds)
- Assassins Creed (com.Assassins.Creed)
- Talking Tom Cat (com.Talking.Tom.Cat)
- NEED FOR SPEED Shift (com.nsf.Shift)
- Where is My Water? (com.swampy.Water)
- Great Little War Game (com.Great.little.War.Game)
- World of Goo (com.World.Goo)
- Shoot The Birds (com.Shoot.The.Birds)
- Riptide GP (com.Riptide.GP)
- Talking Larry the Bird (com.Talking.larry.Bird)
- Bag It! (com.Bag.It)
- Talking Larry the Bird (com.Talking.Larry.Bird)
- Angry Birds (com.Angry.Birds.free)
- TETRIS (com.tetris.free)
- Pool Master Pro (com.Pool.Master.free)
- Reckless Racing (com.Reckless.Racing.free)
- Paradise Island (com.Paradise.Island.free)