The McAfee Mobile Research Team announced the discovery of malware circulating on the Android App Store that can trick people into paying text message fees that don't show up until they get their phone bill at the end of the month. The apps that have been discovered so far are mostly for ringtones and QR codes -- despite the fact that both iOS and Android now have built-in QR code readers.
The technique is known as a WAP billing Trojan; WAP stands for Wireless Application Protocol, which is a system where the user sends money to an SMS number, such as you might do for an emergency relief effort. Trojans are a type of malware that's packaged inside something that looks benign, a reference to the apocryphal Trojan horse that Odysseus hid soldiers in to sneak past a city gate, as described in Virgil's epic Latin poem Aenied. Yeah, the reference has been around for a while.
You probably don't need a dedicated QR code reading app
McAfee's announcement lists all the Sonvpay apps they've found so far, and there are a couple QR code apps on there -- neither of which you probably need. These days, Google and Apple build QR code recognition into Android and iOS. In Android, you can use the Lens function in the Google Assistant app to scan QR codes.
When you open the Assistant app, Lens is the icon that looks like a camera in the lower right-hand corner. Tap it, and you'll see what ever your phone's camera viewfinder is looking at. If Lens detects a QR code, a blue or yellow dot should appear in front of it. Tapping that dot will read the QR code.
If you have a Pixel phone, then Lens is also available as a shortcut within the Google Camera app.
In iOS, it's even easier. The Camera app itself will automatically read whatever QR code you put in front of it, then a notification will drop down from the top of your screen, telling you what the code says.
Six of the 15 Sonvay apps encountered so far are for specific ringtones. Android and iOS can't necessarily protect you from that, if you don't like the ringtones that the come with the operating system. But if you want to browse the built-in ones in Android, current versions of the operating system have a search function in the system settings.
In Android 8.0, you access your settings by dragging down from the top of the screen and tapping on the gear icon. Then tap on Search Settings at the top, search for "ringtone," and a shortcut to the ringtone section should appear at the top of your search results. Tap that, then tap Phone Ringtone to see the list. In iOS, open the Settings app, tap the Search function at the top, type in "Ringtone," tap the Ringtone search result, and you will see the list of all ringtones on the device.
FOLLOW Download.com on Twitter to keep up with the latest app news.
How to protect yourself from apps like these
The guide I wrote in 2016 is still applicable today, but if you don't have the time to read all of it, there are two main things to look out for: apps asking for permissions they don't need -- like a QR code reader wanting to make and receive phone calls -- and impostor apps with slightly misspelled names. For example, the McAfee Sonvpay report calls out one app called Wifi-Hostpot, a misspelling of "Wifi-Hotspot." (Note: Creating a Wi-Fi hotspot is another function that's usually built into your phone these days. Check the documentation for instructions specific to your device.) If the app is popular, typing its name into a Google search should show you the correct spelling.
- If you want a popular ringtone, make sure that you're getting it from an official source.
- If you want to scan a QR code, you probably can with the tools built into Android and iOS.
- Find, download, and install iOS apps safely from the App Store
- Google's AR Measure app for Android turns your phone into a 3D ruler
- Instagram Lite app speeds photo sharing for users with bad internet connections
- 5 surprising things about QR codes (CNET)
- Shopify wants to spur a QR code comeback (ZDNet)
- Can LinkedIn finally kill the business card with new mobile app QR codes? (TechRepublic)