Symantec reports one-click fraud has arrived on smartphones


Do you want the good news, or the bad news first? The bad news is that one-click fraud has, at long last, arrived on smartphones. The good news (unless you live in Japan) is that the frauds are focused on Japanese language users of mobile phones.

According to Joji Hamada, a security expert with Symantec, the fraud typically involves users attempting to access adult content on websites and, when a user attempts to access the content, malware is downloaded.

This technique has been around for some time on the desktop platform, Infosecurity notes, but appears to be the first time it has been used on the mobile internet.

Hamada reports that the malware then continuously displays pop-up windows with lewd pictures asking for payment to register to a web site and, since the pop-up windows will not go away, many users are embarrassed into paying for site in the hope that the pop-ups disappear.

But you guessed – even after paying, the pop-ups may not totally disappear and, as Hamada says in his latest security posting, while one-click fraud is still common on computers, he and his team are now seeing sites that target smartphones – specifically Android and the iPhone.

“It’s worth noting that this site also can be displayed on the Windows Phone and BlackBerries but they are both not specifically targeted at this time”, he says, adding that the problem seems to originate from spammed email sent to the user, who then reads on their mobile.

“When a user clicks on the link, the browser launches and opens an adult site. As you can see at the top of the site, the site supports the iPhone and Android OS”, he says.

“Once a user is registered, they are asked to pay for the service within three days, which is an exorbitant Y55,000 (US$700). The site makes registration look real by displaying the IP address used by the phone, browser details, customer ID, and so on”, he adds.

The solution to the pop-ups is actually a lot simpler than many embarrassed smartphone users realise, says Hamada, and involves simply closing the mobile browser – and not visiting the site again.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security