Most people would never think to prank call themselves. However, they may be allowing their smart phones to do just that, by falling trap to a newly discovered security flaw.
Gone are the days of the traditional prank phone calls, executed by giggling teenagers in a darkened kitchen. Today, mobile phones have not only replaced such relics as the landline, but they have also opened consumers up to a whole new realm of scams. We now use our mobile devices for phone calls and everything else under the sun, so it makes sense then that pranksters and their far less benign counterparts (hackers) have also adopted new ways of duping unsuspecting users out of their personal information and money.
The latest mobile threat to be on the lookout for comes courtesy of a security precaution often overlooked in many popular mobile messaging apps like Facebook messenger, Apple Facetime, and Gmail for mobile. The flaw allows a call to be placed without requiring the user to confirm their action when a link is clicked. This could potentially allow clever criminals to utilize Uniform Resource Identifier (URI) schemes called “tel” to run call fraud. URI schemes tell a computer or mobile device where to go for a certain resource, such as launching an app or dialing a phone number when a link is clicked. Much like when a browser is launched after you click on a web link in an email, native mobile messaging apps can be used as conduits to send malicious links that will trigger a call to be made from your phone.
Typically, an app should prompt you to make sure you would like to go through with the call beforehand, but many big name native messaging apps have this warning feature turned off as a default. The flaw was discovered by Andrei Neculaesei, a developer in Copenhagen, who created a mock website to confirm that most of these messaging apps would just go ahead and make the call.
But really, what is so bad about someone making random calls through your phone?
This security oversight could give hackers an easy way to make premium-rate phone calls for a profit and leave unsuspecting users with the bill. Hackers are buying these premium-rate phone numbers and collecting money each time they trick a user’s phone into calling the high-rate number. Therefore, they will likely place as many calls as possible before someone gets a very surprising (and astronomically high) phone bill.
While this scam is still hypothetical, parts of it are the same as those used by many other forms of malware and phishing attempts. The URI scheme phone scam uses a malicious link to launch the initial round of premium-rate phone calls, and like many others, it relies on consumers to make the first click.
Theoretical or not, smart mobile security habits can keep your device and information safe from similar tricks and many others beyond it.
- Don’t click on a link from someone you don’t know, whether it’s in an email, social media, or a text message.
- Keep a close eye on your monthly phone bill for any unusual charges from making calls to premium-rate phone numbers.
- Make sure to install security software on all mobile devices. The extra layer of protection that security software can provide your device is essential to protecting privacy. McAfee® Mobile Security, is free for both Android and iOS, and offers a variety of protections to help avoid misbehaving apps, including the SMS and call filter that easily siphons out spammers and unwanted numbers for Android users.