"App Farming" The newest SMS spam threat
The Lure of Easy Money
One should never underestimate the ingenuity of those seeking to make money with the least possible effort. For the dubious entrepreneur, the mobile market, with its new universe of apps and monetisation models, represents a world of opportunity.
In the world of app marketing, the three primary media purchasing models all rely upon pay for performance activity. And along with a significant flow of monetisable activity, there exists the opportunity for exploitation. The three fundamental models are: cost per click (CPC) where a marketers pay for active response such as clicking a banner, cost per impression (CPM), where marketers purchase a fixed price for every 1,000 impressions made and cost per action (CPA), where marketers define a desired action and pay when this action occurs which may include sign-up, subscription, registration, download, install, purchase, click to call other lead generation activity.
The rise of ‘easy money’ apps
The mobile marketing ecosystem is literally awash in billions of dollars. The Mobile Marketing Association estimates that the U.S. economic impact of mobile marketing activity will reach $400 billion by the end of 2015. It should be no surprise then that there is genre of apps appearing that exploit activity in this ecosystem with the promise of ‘easy money’. For the user of these apps, this is achieved by exploiting some of the pay for performance activity through downloading apps, registering with various sites, watching video ads, registering for offers, referring friends, playing games and completing surveys. Searching the app stores using terms such as ‘free money’, ‘make money’ or ‘easy money’ result in hundreds of apps promising exactly that.
“App Farming” The new SPAM threat
There is a convergence now that merges the concept of apps exploiting the paid mobile marketing ecosystem and low-cost bulk SMS marketing. We term these as “App Farming” as the basic model is extending the concept of SIM Farms to the handset. The premise of App Farming enables the user of the app to allocate a volume of SMS messages from their handset to be used by the mobile marketing agency and then share in the revenue generated by this activity.
Stepping back and looking at SMS based marketing in general, there has always been tremendous pressure to lower distribution costs and increase reach. The result is often business behaviours that may blur the line between what is legitimate and what is not. This is especially true when it comes to the aggregators of low-cost, bulk SMS where the primary business model is to provide message traffic at a lower price than the network operator’s themselves. Aggregators seek every opportunity to ‘optimise’ costs wherever they can. These cost optimisation efforts often include utilising grey routes and SIM farms. Grey routes are sometimes referred to as “special carrier arrangements”, “settlement by-pass” or other unclear terms but are generally defined as a legal connection between two parties that is being exploited by a third party to route traffic at the lowest rate possible by manipulating the origination or termination information. SIM Farms are computers connected to a bank of mobile phone SIM cards each an account on a network with a favourable tariff such as an “unlimited SMS” bundle. The SIM farm cycles through the bank of SIM cards sending bulk SMS traffic and improperly exploiting what is a consumer based tariff.
With the rise of consumer tariffs offering unlimited SMS, we are starting to see a wave of applications appear that enable the subscriber to act as a micro-distributor by allowing a defined volume of text messages to be sent from their telephone number. In effect, the app turns the user’s handset into a single node SIM farm which is why we have termed this “App Farming”. The app providers claim legitimacy and that the messaging traffic will not be SPAM but consist of verification codes, departure/arrival flight times, booking confirmations etc… from banks, airlines, hotels, other apps and websites. While the app itself and the activity that it enables is not technically illegal, it does cross over into an ethical and legal grey zone similar to the scenario where a user, consciously or not, allows their Wi-Fi to be used for hacking activity or sharing of illegal content.
Users who download apps such as Bazuc or Eleandro are required to have an unlimited SMS tariff and be connected to WiFi / Edge or 3G/4G Network for data. The user links the app to their PayPal or Payza for payment transactions then designate a volume of text messages that they are comfortable sharing. The bulk SMS provider connects to the app via a data connection and uses the app to broadcast messages from that user’s handset. The SMS messages going through the handset will not be seen by the user and only tracked via the account balance refreshed periodically as the server broadcasts SMS messages through the handset.
There are significant downsides for the app user. Not only does the application consume data from the subscriber’s monthly allocation, every message sent via the handset includes the MSISDN identity which exposes the user to negative reactions either via return SMS traffic or harassing voice calls. Also, as most major mobile carriers have "fair usage policy" restrictions that forbid the use of consumer plans for commercial purposes, this activity may result in the carrier cancelling the subscriber’s services altogether. In addition, since the subscriber has made a connection with their Paypal or Payza account, the threat of financial fraud cannot be ruled out.
Detecting and Controlling App Farm SPAM
Detecting and controlling SPAM traffic from applications such as Bazuc is a challenge for mobile network operators. The application will typically use an SMS API to silently distribute traffic to the network via the handset. The result is that the network sees mixed traffic from the same originator so network level blocking of all messages from that user cannot be employed without impacting the subscriber directly. There are some clever methods that may be employed though to detect SPAM and determine the best course of action.
Acision’s comprehensive solution to controlling fraud, fakes, spoof and spam provides the operator with 360 degree control to effectively address specific situations within their network. Speed to recognise a threat and the speed it takes to react are key to ensure safety, and Acision’s solution is unrivalled by other market solutions. For more information on our Spam and Fraud solutions please visit http://www.acision.com/services/messaging-infrastructure/spam-and-fraud.