SMSFactory spreads new mobile bill woes

Billshock due to overages is one of those events that can cause a customer to completely re-evaluate their relationship with their CSP – even if they were perfectly happy before. If not resolved quickly and satisfactorily, it can even lead to churn. But what happens when the overages are not enough to be shocking, but just enough to slowly bleed cash from the customer? How will the customer feel when they eventually wake up to what’s happened? And what will they do?

SMSFactory is malware first identified by cybersecurity firm Avast. Once installed, it sends premium SMS and makes premium-rate calls that are designed to rack up charges of up to USD7/EUR6.50/GBP5.60 per week or USD336/EUR313/GBP268 per year. The amount is cleverly designed. Many mobile users have now implemented cost controls on their phones so they don’t rack up huge bills. Fraud management systems are calibrated to block large, anomalous charges. But when it’s just a trickle, it can easily escape notice.

And here’s the conundrum: if we use our phones to pay for things, then a small charge here and there becomes very hard to detect – is it an authorised charge or not? Who reads their bill line by line rather than looking at the total briefly and making sure it’s in the right ballpark? And the amount is specifically designed to be below the thresholds most people have set on their phones.

The malware has targetted users in the US, France, Spain, Turkey, Argentina, Brazil and Russia (amongst others). It is being spread through malvertising, push notifications and alerts from sites offering game hacks, adult content or free streaming services. It’s disguised as an app but, once installed, it hides on a victim’s device and can be quite difficult to detect.

Antivirus vendor ESET says SMSFactory is being distributed by two malicious Android stores: APKMods and PaidAPKFree. Once installed, a welcome screen appears that requires a user to click ‘accept’. SMSFactory itself has a black icon and hides by removing the app icon from a victim’s home screen. The malware then sends a unique ID allocated to an infected device, along with its location, phone number, mobile carrier information and phone model to a pre-set domain.

Charges will begin appearing on bills – Avast says it has seen daily $1 charges split across 10 SMS messages.

Such malware can have devastating effects on the relationship between mobile service provider and customer, and it is costly for the mobile carrier. Naturally, when the customer finally realises how much they’ve been over-charged – and whether they catch it after one bill cycle or more – they are going to ring their carrier to find out what’s going on. Triaging this adds to the burden on customer care, and the costs for the carrier.

But this is not just a customer risk, it’s a commercial risk, as such malware threatens to undermine carrier’s business models. Much of the general press, for example, is recommending that customers simply set their authorised charging limits to zero – which means that they will not be able to pay for legitimate additional charges.

What’s the solution? Well I’m sure that telecoms vendors have a view on smart spending controls that can query this type of charge – for example, highlighting that this is the first time a payment has been made to this number/vendor and requiring additional authorisation.

Bill presentment vendors also have a role to play. A good bill design should highlight additional, unexpected charges so that customers can query any that have slipped through and narrow the window of opportunity. But it should be remembered that the most vulnerable customers – children, the elderly, people that are unwell – are often also the most vulnerable to these tactics and need the most help both to prevent such charges and to support them when they are victimised.