December 11, 2011

Update: RuFraud: European Premium SMS Toll Fraud on the Rise

Looking for more information on mobile threats like RuFraud? Check out Lookout’s Top Threats resource.

Update: Since this post was first published on December 11th, Lookout detected 5 additional RuFraud apps in the Market. As of December 13th, 27 applications have been found to contain instances of RuFraud. See below for the full list of apps.

There has been a rash of premium SMS toll fraud apps in the last few months that have primarily targeted users in Europe. These apps have often purported to be downloaders for well-known third party software (often freely available software such as Opera Mobile), and have primarily been found on file sharing sites and alternative markets.

Just this week there have been several waves of a new threat, RuFraud, posted to the official Android Market. The initial batch appeared as horoscope apps with a fairly hidden ToS indicating charges. The initial application activity presents the user with a single option to continue, which is presumed to be an agreement to premium charges that are buried within layers of less than clear links. The Premium Short Codes used could affect users in Russia, Azerbaijan, Armenia, Georgia, Czech Republic, Poland, Kazakhstan, Belarus, Latvia, Kyrgyzstan, Tajikistan, Ukraine, Estonia as well as Great Britain, Italy, Israel, France, and Germany. North American users were not affected as the fraudulent SMS code is gated on the user’s country (as indicated by their SIM).

In the last week we have notified Google of 9 identical applications that were skinned to appear more appealing to potential users: three wallpaper apps for popular movies (including Twilight), and three apps purporting to be downloaders for popular games such as Angry Birds and Cut the Rope. Google responded quickly to our reports and pulled these apps from the Android Market. At the time of removal these applications had only been downloaded by a handful of users, and the severity of the threat was still very low.

Overnight, the fraudsters have posted 13 new supposed downloaders to the Android Market, once again positioned as free versions of popular games. It appears that these apps may have reached a broader audience while published to the market: we estimate upwards of 14,000 downloads of these apps.  Google responded to reports from Lookout and others by pulling these apps from the Market. We’ve deployed an over-the-air update that protects Lookout users from all known instances of RuFraud.

The full list of applications (with package name) that have been found to contain instances of RuFraud (sorted by developer) include:

Corazon LLC:

  • Horoscope (
  • Horoscope (com.corazon.horoscope)

Corelly LLC:

  • Horoscope (com.corelly.horoscope)

Ranzy LLC:

  • Twilight (com.Twilight.wallpapers)
  • Puss in Boots (com.Puss.Boots.wallpapers)
  • Moneyball (com.Moneyball.wallpapers)

Astrolog LLC:

  • Sim City Deluxe FREE (
  • Need for Speed Shift FREE (
  • Great Little War Game FREE (


  • Cut the Rope (com.Cut.the.Rope)
  • Angry Birds (com.Angry.Birds)
  • Assassins Creed (com.Assassins.Creed)
  • Talking Tom Cat (com.Talking.Tom.Cat)
  • NEED FOR SPEED Shift (com.nsf.Shift)
  • Where is My Water? (com.swampy.Water)
  • Great Little War Game (com.Great.little.War.Game)
  • World of Goo (com.World.Goo)
  • Shoot The Birds (com.Shoot.The.Birds)
  • Riptide GP (com.Riptide.GP)
  • Talking Larry the Bird (com.Talking.larry.Bird)
  •  Bag It! (com.Bag.It)
  • Talking Larry the Bird (com.Talking.Larry.Bird)
  • Angry Birds (

Allwing Concept:

  • TETRIS (
  • Pool Master Pro (
  • Reckless Racing (
  • Paradise Island (
  1. Doug says:

    I live in Canada, Southern Ontario to be exact. I was recently charged $30Canadian on my Koodo phone bill for premium text messages that I was sure I did not sent. Does anybody have an idea of how I might be able to recover this money. I have since removed all apps from my phone that are not directly from Google Inc. I have an LG Optimus One.

    • Amy says:

      @Doug, thanks for your message. You’d mentioned that you had recently seen charges for premium rate text messages appear on your phone bill and you believed it may be RuFraud. You may want to contact your carrier to notify them that you did not send any premium rate text messages. If you have any other questions about about RuFraud, please feel free to contact us: feedback@mylookout[dot]com. Thank you!

  2. Doug says:

    ……..I did not send….

  3. […] Mobile, a security firm focused on smartphones, alerted Google to applications in its Android store that were posing as innocuous, free apps, but were really […]

  4. […], Getagged mitabzock apps • android marketm google • angry birds • […]

  5. […] of apps from the Android Market because they trick European users into paying premium SMS charges. According to the mobile security firm Lookout, Google has removed 22 apps from the market for essentially being wrappers around a new RuFraud […]

Leave a comment