JSDialers: apps calling premium rate numbers (with new techniques) in Google Play
With Google Play more vigilant about SMS premium apps in their market, the attackers have tried some other techniques that avoids Java and focus in JavaScript received from the servers. Besides, they do not only subscribe to SMS premium services, but they make phone calls to premium rate numbers. Everything in a very smart way, because, for example, they try to mute the telephone and microphone during the phone calls, tries to hide the phone call itself from the screen... and take the whole code from the servers instead of embedding it.
What the user perceives
When the user downloads and installs any of these apps, something like this will be shown.

These are the typical "terms and conditions" that probably nobody will read. Accepting them implies making the phone call in an automatic and transparent way for the user. The image "Aceptar" image shown, is taken from this jpg file:
hxxp://www.contentmobileapps.com/called/images/continuar_call_100.jpg
Whatever the user responds about the age, the device will show an animation (a GIF taken from here hxxp://www.contentmobileapps.com/called/images/loading.gif) while the actual phone call is done to a premium rate number.

It seems that, depending on the phone, a green bar may appear during a few seconds, but the developer tries to hide it.

The attacker mutes the telephone and microphone so the user is unable to hear the message of the phone calling and the locution.

The victim will be subscribed to this service and will have to face the costs of premium rate calls. The user will now be able to browser the recipes, but the phone call has already been made.

Once clicking on the "Help" button, the option to unsubscribe is given.

What happens and how does it work?
These apps depend strongly on the servers and work via Cordova plugin. It is a set of device APIs that allow a developer to access device functions via JavaScript... The permissions of the analyzed app are these, although they are not the same in all of them. Some of them lack of the SMS permissions.

The first thing the app does is executing a WebView with Cordova that shows an internal HTML.




With Cordova's help and a dialler plugin, it finally makes an actual phone call.
The developers have found a way to get back to fraudulent activity with premium rate phone calls. Who is behind these apps? The domains being used and terms and conditions are very clear. We are investigating the developers and some other apps they have, and will try to offer a report soon.
With Path5, we could find similar apps. Some of them have already been removed, but not all of them. They are working on uploading fraudulent apps since early January.

Some apps have mutated from apps related with cars (in Japanese), to porn. This is the preferred way to hide better in Google Play.

- Videos hd peliculas porno sexo, com.gepekline, 6f1c3a596920298873f1e38842f751991875e6d6
- Peliculas videos sexo Porno hd,com.wheelpvies,34b2bba921e9b7d9c8242d31e2cc011908684d9a
- Videos hd peliculas porno sexo ,com.spportss,ada71fc53f9aae5f84cc69814b58f65f1e273067
- Canciones infantiles y videos, com.sursongsonline, 1fcce1b8effdcbdef54cc02675eefc5214fec67b
- Peliculas videos porno sexo hd,com.escarsysview, 031490dd0b824c02be7d0fe728d67f998ef7c914
- Cine estrenos peliculas online, com.filmsmeka, e856cd2d4a366abbb1df18c8bc53c7a35a6da535
- Un millón de recetas de cocina, com.recippes, 194362c46b124161a5289d1d3c4c56f93b142044
With our database, we have been able to locate some other apps, and prove that the developers behind them come from Valencia and have been working on these frauds for a few months now.

The whole document is available here: