We are the UK regulator for content, goods and services charged to a phone bill.

£330,000 fines issued to UK companies over mobile malware and WAP opt-in

11 December 2014

- Fines totalling £330,000 have been issued to three companies, Circle Marketing LtdCloudspace Limited and Syncronized Ltd, which were found to have breached premium rate service regulator PhonepayPlus’ Code of Practice. General refunds ordered.

- PhonepayPlus monitoring demonstrated that mobile applications containing malware downloaded onto users’ phones after browsing online, then charged their phone bill without their knowledge.

- Separately to the apps, some consumers interacted with the services through a WAP link sent to their mobile phone after their details had been obtained from marketing lists.

- Some consumers reported bills of hundreds of pounds to PhonepayPlus.

- Malware investigated by PhonepayPlus’ research team, following reports by Kaspersky Lab.

Premium rate services regulator PhonepayPlus has issued fines of £330,000 to three companies after uncovering mobile malware that concealed charges to Android phone owners. The malware was investigated by PhonepayPlus’ research team, following initial identification by Kaspersky Lab and using data provided by the internet security company. Consumers are being warned to look out for anything out of the ordinary on their phone bill.

The malware was contained in a number of apps, with names such as ‘Fun Sexy Girls’ and ‘Glam Pleasures’, which downloaded automatically without users’ consent whilst they visited an adult website. Once installed consumers could inadvertently initiate a subscription by clicking anywhere on the screen. The app suppressed premium rate text messages, such that the phone’s owner would not know that they were being charged. 

Joanne Prowse, Acting Chief Executive of PhonepayPlus, said:

“This mobile malware downloaded without mobile owners’ consent and hid the charges. It was found thanks to the work of PhonepayPlus’ research team and Kaspersky Lab. As a result of our investigation the companies involved have been fined £330,000 and refunds have been ordered for consumers.

“The digital economy is ever more central to people’s lives, bringing new opportunities for business, but also new risks to consumers through evolving mobile malware. Tackling this threat and supporting genuine innovation and good business within premium rate services is one of PhonepayPlus’ key priorities. This case of mobile malware is not typical of the majority of PRS businesses, which offer services that consumers enjoy and find convenient to use. 

“If the UK’s digital economy is to fulfil its potential we must all play our part, business, regulators, and government alike, in driving bad practice out of the market. We are working closely with business, online security experts and other regulators to ensure that consumers are protected from these risks.”

David Emm, Principal Security Researcher, Kaspersky Lab, said:

“As we as a society become increasingly dependent on mobile devices to connect to the internet, it is only natural that the criminals will see an opportunity and follow our activities. It is difficult enough for consumers to remain vigilant to the abundant threats out there, without having to deal with hidden threats from seemingly legitimate sites as well. This verdict is great success for those trying to protect mobile users, and will hopefully deter other potential opportunists. Consumers were billed between £1.50 and £4.50 per week and the only indicator that something was out of the ordinary, was when they received their bill, which showed unusual charges.”

In addition to the app, two of the three PRS providers, Cloudspace and Circle Marketing, used marketing lists to contact consumers without their consent. 

All three companies were unable to show that they had obtained consumers’ consent to be charged.

In relation to the WAP opt-in, a number of consumers reported receiving explicit text messages, and told PhonepayPlus that they were shocked, describing themselves as “extremely upset” by “these vile messages”. Amongst those who complained were a woman aged over 60 years old, parents who reported on behalf of teenage sons and daughters and one person who had been out of work for six months.

One complainant reported being billed £231, another reported that their daughter was charged £150 more over a three month period than usual, and another said that they had been receiving the explicit text messages for over two years before approaching PhonepayPlus.

In October 2014, Kaspersky Lab and Interpol reported that in the first half of 2014 alone, 175,442 new unique Android malicious programs were detected. That is 18.3% (or 32,231 malicious programs) more than in the entire year of 2013. Earlier this year, a report by Lookout found that the UK has so far had relatively low experience of mobile malware compared with other countries. In 2012 PhonepayPlus cut off a mobile malware attack in the UK, dubbed RuFraud by security experts, which attempted to charge consumers via premium SMS and was targeted at 18 different countries.

PhonepayPlus’ research team uses a range of techniques to identify and investigate mobile malware threats that fall within its remit as the UK’s premium rate services regulator. In addition to information sharing with anti-virus experts and other regulators, PhonepayPlus uses algorithms to gather data on threats and meaningful information from consumer comment on social media and online forums. This data is then analysed to identify developing trends and problems, which feed into the regulators’ investigations and advice to consumers. Phonepayplus is continuing to develop and invest in its monitoring and research against malware. 

PhonepayPlus recently joined with Ofcom and other regulators to produce advice on mobile apps for consumers