UK premium phone services regulator PhonepayPlus has fined a Moscow-based firm £50,000 for failing to provide accurate pricing information and charging without consent.
Connect Ltd, trading as SMSBill, is the firm behind a malicious Facebook link that led to malware being downloaded onto Android smartphones. The malware was discovered by security firm Sophos in February.
While posing as a conduit to popular games, the link was coded to send an SMS message which subscribed the phone to an expensive premium rate service.
The regulator found that Connect Ltd had made “very serious” breaches of the PhonepayPlus Code of Practice and the company is believed to have defrauded consumers of up to £250,000.
In addition to the fine, Connect Ltd has been ordered to refund all consumers who used the fraudulent service, whether or not they have claimed a refund.
Consumers duped by Android malware
The regulator said that when consumers downloaded an Android app for accessing games, they were presented with a screen titled “Downloader”.
Read more about Google Android security
- Android app security FAQ: Keeping devices safe from Android threats
- Experts say Android malware research can help Android app security
- Google changes Android policy to tackle malicious apps
- Photo story: 13 Android security apps
- How to secure Android devices: Advice for good Android lock patterns
- Android security settings and controls for Android enterprise security
On selecting “install” consumers were presented with a screen which stated, “Do you agree with the rules of downloading?” which had two buttons, one marked “OK” and a second marked “Rules”.
Where a consumer selected “OK”, a text message was automatically sent to premium service that charged £10 to their bill.
Selecting the “Rules” option displayed eight pages of terms and conditions, but the regulator found that inaccurate pricing information was given for UK users, who were charged more than indicated.
Consumers were then given the opportunity to select “Agree” or “Disagree” buttons. Where “Agree” was selected, a text message was automatically sent to a premium service that charged consumers £10.
The regulator found that consumers were not notified in advance of the charges.
“The sending of expensive SMS messages is one of the most common ways in which smartphone malware attempts to earn revenue from its victims,” said Graham Cluley, senior technology consultant at Sophos.
“People are rarely vigilant about reading terms and conditions, which might give a clue to the kind of service they’re signing up to,” he said.
Cluley said consumers should always be careful about what apps they install, and – in the case of Android apps – they must check they are happy with the permissions the app requests at installation.