back to article Android dev smacked with £50k fine over premium rate SMS scam

UK regulator PhonepayPlus has fined a Russian firm £50,000 after it was found guilty of peddling a deceptive Android application that signed unwitting victims up to a premium-rate text service. Connect Ltd, trading as SMSBill, reportedly promised access to Android games. After the app was installed, a text message was also …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    If it was Apple then people would be saying "how can this be possible", Because it is Android nobody bats an eyelid?

    1. Anonymous Coward
      Anonymous Coward

      @AC: "Because it is Android nobody bats an eyelid?"

      This isn't an OS issue. They're exploiting customer naivety with a complex contract, and there's nothing an OS can do to overcome that. It's more of a confidence trick than a tech exploit.

      1. Anonymous Coward
        Anonymous Coward

        @Ralph 5

        "After the app was installed, a text message was also sent to a premium-rate number"

        Android is designed to allow this very thing to happen. You can't complain about "closed" and how good "open" is and then turn around and and say it has nothing to do with the OS.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Ralph 5

          "Android is designed to allow this very thing to happen. You can't complain about "closed" and how good "open" is and then turn around and and say it has nothing to do with the OS."

          Yes, it is designed to allow applications to send SMSs, it's very useful to certain applications. The chumps who installed it clearly got told that this application is asking for permission to "use services that cost you money" and they agreed to it. As Ralph said, this is a user, not an OS issue.

          1. RICHTO

            Re: @Ralph 5

            Strange it doesnt happen on IOS or Windows Phone then if it's a 'user' issue....

        2. Dr. Mouse

          Re: @Ralph 5

          "Android is designed to allow this very thing to happen."

          As has been stated, yes it is. But this is not an OS error, but a scam and a user error.

          Every time an app is installed, you are told what "permissions" it is requesting. The fact that users don't bother to read these is their problem, not a problem with the OS. It is like someone running Windows blindly clicking yes in answer to a dialogue box asking for Admin rights, similarly in Linux/Unix GUIs.

          In a well designed OS, it is the resonibility of the user and the administrator* to make descisions relating to the security of the system. "The price of freedom is eternal vigilance". I'd rather have my freedom than the restrictions of Apple.

          *In terms of mobe's, the user and admin are normally one and the same, although most users don't realise. In Apple's case, they have decided users can't be trusted, so they become the administrator.

        3. Gerard Krupa

          Apple Immunity

          Yes, this has never happened with an iPhone app. Oh wait...

          1. TeeCee Gold badge

            Re: Apple Immunity

            Hmm, Admob. That would be owned by Google, right?

            Credit where credit's due.......

    2. Anonymous Coward

      There was a problem, it's now fixed and the guys who did it got fined. What more do you want? There will always be things like this in the software industry. I mean, at least it got found, right?

      1. John Rose

        Fine paid?

        But will the miscreant(s) pay the fine.

        1. RICHTO

          Re: Fine paid?

          Of course not. They will just open another Ltd company for £20 and let the old one fold....

    3. ukgnome

      If it was Apple they would be suing the Dev because it's their remit to screw the little guy for every bean. Presumably they invented scams too

    4. Tom 35

      Apple would never allow it...

      Unless they get their 30%...

    5. Anonymous Coward

      EPIC FAIL - Sophos are clearly idiots....

      The idiot in the video on the Sophos website had already unticked the "Unknown sources", and then obviously failed to understand the following warning it presented him.

      “Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications.”

      What a tool.

      1. Yet Another Anonymous coward Silver badge

        Re: EPIC FAIL - Sophos are clearly idiots....

        So Sophos shouldn't have a market for desktop AV because internet explorer warns you when you download apps or open attachments ?

        I suppose a warning on the boot screen saying - "allow code to run on this cpu?" would mean everyone is an idiot

      2. Anonymous Coward
        Anonymous Coward

        Re: EPIC FAIL - Sophos are clearly idiots....

        Yep, that's the plan. You engineer a situation where you can sell idiots snakeoil (in this case Android anti-malware packages).

        What's surprising is the sheer number of idiots that seem to be fooled by this, including tech journalists.

    6. LarsG


      Don't we know about yet?

      Might find it is endemic in that there is no proper vetting of Android aps.

      1. Anonymous Coward


        Errm you do know this wasn't downloaded from the Google play store right? Did you even look at the video on the Sophos site?

        They are downloading random APK files from the internet, which unsurprisingly ISN'T vetted...

        If you didn't OK the scary malware warning, then you woudln't be able to do that. The only people really at risk, are those shopping (or pirating) from non-Google sources (including Amazon).

      2. Anonymous Coward
        Anonymous Coward


        Doubtful really, it's certain that Sophos exhausted Google Play before they looked at unofficial sources for their sales pitch.

        ......and in the UK telcos are required to block all premium rate calls & sms if you request it.

      3. Psyx


        People find out when they get their phone bill... which some people are statistically going to do within a day. PAYG customers will immediately be flagged.

        In short: It will be uncovered pretty much straight away.

        It's like someone catching a disease which turns them bright blue. Kinda hard not to notice.

  2. John Rose

    How to put 'thumbs' icons after message

    Somebody, please, tell me how to put the thumbs up & thumbs down icons after a message. I've tried clicking on them and also dragging them into the message. Is it something to do with using Firefox rather than Internet Explorer?

    1. Alan Dougherty

      Re: How to put 'thumbs' icons after message

      If you're running NoScript, then whitelist elreg (left of the url bar).

      1. John Rose

        Re: How to put 'thumbs' icons after message

        I don't use NoScript.

        1. Alan Dougherty

          Re: How to put 'thumbs' icons after message

          1) Then you should use noscript.

          2) You have to be logged in, to up, or down vote a post. (I'm still assuming that you are talking about the green red vote buttons under a post?)

          3) Other than that i have no idea. (i.e. can't be arsed, it's beer o'clock).

    2. Phil O'Sophical Silver badge
      Thumb Up

      Re: How to put 'thumbs' icons after message

      Just select the icon (one click) before hitting Submit. Works on Firefox for me.

  3. Anonymous Coward
    Anonymous Coward


    crime pays, and the fine's just running expenses. Better luck next time :(

    1. Yet Another Anonymous coward Silver badge

      Re: crime

      Crim is in Russia, with a company registered in Liberia and servers in China.

      Crim laughs at plod and pays 20quid to register new company,

      BT hand out new premium number and they are back in business tomorrow

  4. Anonymous John

    Can't victims sue Apple because their Android devices are rectangular with rounded corners?

  5. Ilgaz

    Too many permissions

    Things are really absurd in Android software scene lately. Even a freaking "go theme" requests "full network access" (aka server) without any stated reason (crash reports?) & gets hundreds of thousands users.

    I am not saying they do evil things, most theme designers are artists, they can't even code basic. Thing is, something will happen one day and a lot of users (even including me) will learn their lesson in a bitter way.

    1. TeeCee Gold badge

      Re: Too many permissions

      This a guess based on my own findings, but.

      Quite a few of the apps I have fire up associated tasks for the Google/Admob advertising and billing crud (which requires net access) when invoked even though they do not display advertising or have any chargeable functions.

      I suspect that either there's a standard framework for building Android apps from Google that bundles this shit into the build by default and that many devs just haven't noticed and turned it off, or that there are some usage analytics functions squirrelled away in there that the devs get a kickback for including.

      Rather annoyingly, in most cases the memory and processor footprint of the GooCrap (tm) (beta) is rather larger than that of the app itself.....

  6. Tim Brown 1


    aIs there actually any premium-rate phone service that isn't some kind of con? Or at the very least doesn't take advantage of the mentally-challenged?

  7. El Presidente

    Three month escrow?

    For anyone offering premium SMS services with an insurance backed no rip-offs policy.

    There, fixed that. Not so difficult for me, not impossible for PhonepayPlus to implement.

  8. Aqua Marina

    If this is a Ltd company

    Then surely they can cease trading, and start another company up afresh?

    Don't thumbs down me, this is my current understanding of how UK Ltd companies keep appearing to exist, while avoiding responsibility for their actions.

    1. Alan Dougherty

      Re: If this is a Ltd company

      Limited companies can stop trading, and managers and owners will not be personally responsible for debt incurred by the company.. however..

      The directors may be declared bankrupt, and unable to hold a directorship in the UK for 12 months..

      Also, most banks and big creditors, will insist that any capital given is secured personally by the directors, regardless of a limited status of the company.. starting your own business and getting limited status, does not mean you are absolved of loan debt, that the lenders require personal guarantee on..

      I'm not 100% on all the details, but being a self trader, and looking into going limited, my accountant advised it would be pointless for the size of my company, as any loans etc, would still need personal guarantees..

      1. Stuart

        Re: If this is a Ltd company

        What loan do you need to roll out malware that you already have?

        A quick re-brand at minimal cost and simply re-appear ready to go again.

        1. Alan Dougherty

          Re: If this is a Ltd company

          You may have a point there, as my business needs enough capital to buy physical machines and vehicles.. so I'll always have that as an overhead.. but, then I'll always have physical items as capital as well.. not much value for the average bank (these days, despite paying those fuckers over the odds, for the equipment in the first place), for a small business, but, at least I can sell the lot as a going concern..

          If anybody is thinking of starting a business.. one word of advice.. talk to the co-op first before you set up a business account...

          And no, I don't have a co-op account yet (I'm not a shill).. I'm still trying to clear up the clusterfuck of the ulsterbank first.. it's not really fair to turn up on a new banks doorstep with a statement that makes most people go WTF?

      2. RICHTO

        Re: If this is a Ltd company

        You state that the directors are not responsible for the debt and then state that they may be made bankrupt?!

        Get a clue....

        Guarantees would only be on loans - i.e. money you borrow. Not on any other debts like fines....

    2. Psyx

      Re: If this is a Ltd company

      "Then surely they can cease trading, and start another company up afresh?"

      They'd have to get their Aunt or someone to register the company as they would not allowed to be for a period of time. I don't *think* that being a limited company of this scale protects the owners from fines levied by the courts due to deliberate criminal activity.

      ie: I create a company that specialises in mugging. The premises are raided and closed. I am told my company has to pay a fine and pay damages of some kind. I can't legally say "none of my business" and start a new company doing the same thing: I am still responsible for those Torts and must still pay damages.

  9. Smithson

    "PhonepayPlus"? The regulator sounds more like a scamming app than the scamming app.

  10. Stuart

    Aqua marina - exactly, their best bet will be just to claim Connect Ltd is insolvent and re-appear in a month or two as Connekt Ltd. I'll be amazed if anyone gets money back from this.

    Not a problem restricted to Android but crappy consumer protection in general.

    1. Mephistro
      Thumb Up

      (@ Stuart)

      "Not a problem restricted to Android but crappy consumer protection in general."

      The telcos take a good slice of the money, too. That's the reason they aren't monitoring these 'premium services' more closely.

      If there were some true consumer protection, most of these services would vanish, and the surviving ones would need a written contract before being able to charge anyone a premium rate.

      And the 'written contract' should be an standardised contract with fixed clauses explaining how much the customer will be charged for exactly which services. And a copy of this contract form should be given to the telco every time the premium service provider changes a single coma in their standard contract, so the telco can't claim ignorance on the scammers ripping off the public.

      Now, I reckon I won't see that level of consumer protection in my lifetime. If anything, we are going in the opposite direction. Sigh...

    2. RICHTO

      Actually claiming insolvency usually costs lots of money. They would be far better off to simply ignore Companies House and not send in annual returns until the company gets struck off...

  11. dotdavid


    This "PhonePayPlus" scam must be stopped immediately. Paying extra by phone for an app via underhand means exploits the vulnerable who won't be familiar with the complexities of modern smartphones.

    Wait... did you say PhonePayPlus is the name of the regulator?!

    1. Alan Brown Silver badge

      Re: PhonePayPlus


      Ofcom is the regulator.

      PhonePayPlus (Once known as ICSTIS) is a voluntary trade association of premium rate providers which has been delegated very limited powers by Ofcom and has zero enforcement powers.

      They're not, nor have they ever been a "regulator", despite claims to the contrary (and if you push 'em, they'll say as much in writing. I have a letter from ICSTIS days saying exactly that.)

      Connect could ignore them, not pay the fine and carry on (if their premium SMS provider don't disconnect them upon PPP request, which is about the only point of "power" PPP have) . At that point the only recourse would be to kick it up the food chain to Ofcom and OFT.

  12. Jim Coleman

    Ltd Companies

    Actually, although a limited company is itself liable for its debts and the directors are not, as this was a breach of the law, the directors are liable personally for the fine, IIRC.

    Fines, imprisonment and other remedies always apply to the directors, as long as they are personally held accountable. Only if the directors were shown to be ignorant of the crime their company committed would they get away with it, but even then I suspect some other employee would be held to account.

    Basically a limited company is only a protective shield against legal debt - criminal punishments are always meted out to individuals. Regulatory fines are another issue as they are not dished out by the criminal courts - they would normally become corporate debt so could theoretically be dodged by dissolving the company.

    So the question here then becomes whether this fine is criminal or regulatory. Sorry for rambling.

    1. Yet Another Anonymous coward Silver badge

      Re: Ltd Companies

      But still somewhat irrelevent if the "company" is just a bit of paper and the owners are just listed as "Boris Smith" "Russia".

      There isn't exactly a lot of checking to register a company in the UK - and there is no need to even register it in the UK.

  13. John Rose
    Thumb Down

    Thumbs up & thumbs down buttons

    @Phil O'Sophical

    I have clicked the buttons once for this message. But has put them in this message?

    PS I do not want to use NoScript as I have found it a constant nuisance giving exceptions / white list to it.

    1. The Original Cactus

      Re: Thumbs up & thumbs down buttons

      John, you can't include images in the body of the post. You can click on one image and it will appear on the left under your name, but that's it. Unless you post anonymously, in which case you just get the Guy Fawkes mask.

      1. John Rose

        Re: Thumbs up & thumbs down buttons

        Thanks for the tip. Looking at my last message, it works if I click once on each required icon.

  14. JaitcH

    Russia, a trusted source ...

    like China.;

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022