Nearly 1,400 UK users of Android smartphones have been targeted by premium-rate phone scams masquerading as popular apps such as Angry Birds and Cut the Rope.
The malicious apps were posted to Google Play (formerly known as the Android Market) last December, but the scammers were finally brought to book last week by UK phone-paid services regulator, PhonepayPlus.
The regulator blocked payments to the scammers and ordered a Latvian firm linked to the scam called A1 Agregator Limited to pay £50,000 in fines and refund all unauthorised charges to smartphone users targeted by the scam.
A1 Agregator was fined because it was in charge of the "shortcodes" and payment mechanisms used for the scam in the UK, but PhonepayPlus could not say whether the company was involved in planning the scam, according to the Guardian.
The scam used malware called RuFraud that enabled the scammers to make unauthorised premium rate text messages charges using payment shortcodes, according to Lookout, the mobile security firm that reported the scam to Google.
"We quickly worked with Google to identify, remove and protect users from downloading all instances of RuFraud from Google Play," the company said in a blog post.
According to the security firm, the premium shortcodes used by the malware could have been used to target smartphone users in 17 other countries, including Italy, France, Germany, Russia, Poland, Tajikistan, Ukraine and Estonia.
PhonepayPlus warned that the scheme was part of a multinational scheme by scammers aiming to capitalise on the growing popularity of Google's platform and the lack of checks on apps posted to Google Play.
"Mobile apps are a powerful malware delivery method, as most users are willing to allow apps to do anything to get the desired functionality," said Carl Leonard, senior security research manager at IT security firm Websense.
Security researchers are reporting a rapid evolution of mobile malware from the premium text message generating code that appeared about six months ago to the new data stealing apps, Leonard told Computer Weekly.
This is particularly bad news for businesses that allow bring your own device (BYOD) schemes, said Leonard, as mobile malware is easily modified to steal data such as names, e-mail addresses and phone numbers.
A recent poll of more than 1,000 consumers by security firm AdaptiveMobile revealed that, while 69% are concerned about data breaches,75% fail to check what permissions they are granting to apps they download.
Other research by the security firm has shown that common applications, including Angry Birds, have access to information including country, city, GPS location and owner’s name, and may contact up to 17 different domains to share this kind of information with external bodies including advertisers.
“If we are to slow the rise in cyber crime, consumers need to become more aware of the need for phone security, and operators should provide protection against the unauthorised or inadvertent leakage of personal data to guard and build trust with their users,” said Ciaran Bradley, vice-president of handset security at AdaptiveMobile.