SMS malware firm ordered to compensate victims

A Moscow-based firm has been fined £50,000 ($77,500) and ordered to refund victims after an Android-based link subscribed customers to a premium-rate service without consent.

The UK premium phone services regulator PhonepayPlus has ordered Connect Ltd -- trading as SMSBill -- to refund all customers who have been affected, whether or not they have claimed compensation.

The firm is behind a malicious Facebook link which, once clicked, downloaded malware on to Android-based smartphones. Masquerading as an app which provided access to games, an SMS message was then sent from the phone, automatically subscribing the owner to the service.

The sent message generated an auto-reply text, which then cost the owner £10 ($15). On page 6 of the app's terms and conditions, a price of "about £5" was specified. 

The UK watchdog has ordered that customers will be credited on their next mobile phone bill and refunds must be offered within three months. If the number is no longer in use, then the refund will go to charity. Connect is estimated to have gained fraudulent profits of £250,000 ($397,000) through the scheme.

Senior technology consultant at Sophos Graham Cluley said:

"The sending of expensive SMS messages is one of the most common ways in which smartphone malware attempts to earn revenue from its victims. People are rarely vigilant about reading terms and conditions, which might give a clue to the kind of service they're signing up to."

The malware was discovered in February by SophosLabs researcher Vanja Svajcer, who also made a video documenting the passage of the malware from the Internet to becoming installed on his Android smartphone. It has now been detected as Andr/Opfake-C.

Connect has now been formally reprimanded and can only operate under the premium phone services regulator's supervision. The company has the option to appeal.