12 April 2018
The risk of malware attack is an ever present concern in the online environment. Android malware attacks have been known to affect UK consumers in a variety of forms from spying on consumers’ handset usage to adware that uses a consumer’s handset to generate ad clicks, right through to ransomware which is designed to defraud the user.
We have been monitoring the potential for Android malware to affect users of operator billing in the UK. While instances of Android malware affecting users of operator billing have affected consumers in other overseas territories, UK instances have had limited impact to date.
We have been successful in minimising the impact of malware attacks in the UK affecting phone-paid services. We have done this through:
- our extensive monitoring programme
- working with antivirus specialists to identify areas of risk
- working with the industry, including the mobile networks, the compliance audit houses and Level 1s
- working with the major platforms to ensure any apps identified as carrying relevant malware are shut down and removed as quickly as possible.
We are, however, aware that the risk of malware attack continues to be significant. In recent months, we have worked with a Level 1 provider to identify and mitigate a malware attack – underlining the need to remain vigilant.
With this in mind, we would like to remind providers, and in particular Level 1 providers who facilitate operator billing, that they have a responsibility to take practical and effective steps to mitigate the potential harm from malware. Level 1s should fully consider their payment systems and flows, due diligence, risk assessment and control processes and the systems that ensure they are meeting their obligations under paragraph 3.1.1 of the Code.
These include measures to ensure their:
- payment platforms are robust
- monitoring is effective in detecting malicious activity and that they keep the appropriate data to do so both proactively and reactively
- controls are effective and up to date.
We will continue to work with industry to mitigate the risks arising from android malware. We are intending to host a workshop with Level 1 providers in the near future where we will explore the above measures in greater detail. We will issue a separate communication to Level 1s to this end.
In addition to these steps, we have commissioned alongside a number of MNOs independent research into the security of L1 platforms in relation to consent to charge. This is intended to improve our understanding of the issue and may suggest further areas for policy or regulatory action by us, in addition to any action that the industry may decide to take.